Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MediaCreationTool.bat

Overview

General Information

Sample name:MediaCreationTool.bat
Analysis ID:1431721
MD5:dd0dc9282ef05a1fa257adbdd0c020d5
SHA1:4c8697cc01a50f5776cdbd2bee3fe4fc447a892c
SHA256:e9960d7eedbedcd62f96c9420d95845f4bad4a90d491371ddbb788ba01da1d44
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Powershell uses Background Intelligent Transfer Service (BITS)
Self deletion via cmd or bat file
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Uses cmd line tools excessively to alter registry or file data
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64_ra
  • cmd.exe (PID: 5560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MediaCreationTool.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chcp.com (PID: 5232 cmdline: chcp 437 MD5: 33395C4732A49065EA72590B14B64F32)
    • reg.exe (PID: 5720 cmdline: reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 2224 cmdline: reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 5668 cmdline: reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 5652 cmdline: reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 5628 cmdline: reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 1952 cmdline: reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4756 cmdline: reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 3632 cmdline: reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4216 cmdline: reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6568 cmdline: reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6848 cmdline: reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 460 cmdline: reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6548 cmdline: reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 2524 cmdline: reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 3552 cmdline: reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 3528 cmdline: reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6196 cmdline: reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6836 cmdline: reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 452 cmdline: reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6684 cmdline: reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4700 cmdline: reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 3680 cmdline: reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 4760 cmdline: reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 376 cmdline: reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 5372 cmdline: reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 6552 cmdline: reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • attrib.exe (PID: 6740 cmdline: attrib -R -S -H "C:\ESD" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • Robocopy.exe (PID: 6920 cmdline: robocopy "C:\Users\user\Desktop\/" "C:\ESD/" "MediaCreationTool.bat" MD5: A4044E84AA1B75389DAA08398D90DFFD)
    • cmd.exe (PID: 6764 cmdline: cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" set MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 3860 cmdline: chcp 437 MD5: 33395C4732A49065EA72590B14B64F32)
      • attrib.exe (PID: 2888 cmdline: attrib -R -S -H "C:\ESD" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • Robocopy.exe (PID: 2952 cmdline: robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat" MD5: A4044E84AA1B75389DAA08398D90DFFD)
      • cmd.exe (PID: 6344 cmdline: C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 7016 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 2004 cmdline: cmd /d MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 2948 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • reg.exe (PID: 7012 cmdline: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 6268 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • reg.exe (PID: 340 cmdline: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 5464 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • reg.exe (PID: 1200 cmdline: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 1248 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • reg.exe (PID: 1036 cmdline: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 6352 cmdline: C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • reg.exe (PID: 5704 cmdline: reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 5516 cmdline: C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1! MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 6996 cmdline: cmd /q /v:on /c echo !.:~2,1! MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • cmd.exe (PID: 1888 cmdline: C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1! MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 4016 cmdline: cmd /q /v:on /c echo !.:~2,1! MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • findstr.exe (PID: 3848 cmdline: findstr /c:\ /a:f0 " Detected Media "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 4532 cmdline: findstr /c:\ /a:6f " en-US "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 7036 cmdline: findstr /c:\ /a:9f " Enterprise "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 2204 cmdline: findstr /c:\ /a:2f " x64 "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 3492 cmdline: findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 6504 cmdline: findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 4628 cmdline: findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 3944 cmdline: findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 1164 cmdline: findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 5096 cmdline: findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 5816 cmdline: findstr /c:\ /a:17 "can rename script: "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 6568 cmdline: findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 6848 cmdline: findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 6960 cmdline: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • fltMC.exe (PID: 4192 cmdline: fltmc MD5: 6AB08CADCE7DF971A043DCD1257D7374)
      • attrib.exe (PID: 7036 cmdline: attrib -R -S -H "C:\ESD" /D MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • findstr.exe (PID: 2204 cmdline: findstr /c:\ /a:f0 " Windows 11 Version "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 3492 cmdline: findstr /c:\ /a:5f " 23H2 "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 6504 cmdline: findstr /c:\ /a:f1 " 22631.2861.231204-0538.23H2_ni_release_svc_refresh "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 1744 cmdline: findstr /c:\ /a:6f " en-US "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 4756 cmdline: findstr /c:\ /a:9f " Enterprise "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • findstr.exe (PID: 6692 cmdline: findstr /c:\ /a:2f " x64 "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • powershell.exe (PID: 4216 cmdline: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1388 cmdline: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • expand.exe (PID: 7028 cmdline: expand.exe -R products11_23H2.cab -F:* . MD5: 3080AD9250254478269B486EC15C25FF)
      • findstr.exe (PID: 1304 cmdline: findstr /c:\ /a:0f " Auto Upgrade "\..\c nul MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
      • powershell.exe (PID: 1068 cmdline: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:PRODUCTS_XML\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1';iex($0+$1)" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • makecab.exe (PID: 364 cmdline: makecab products.xml products.cab MD5: FF47E32B1B45D1DE2ECC39107B365563)
      • powershell.exe (PID: 640 cmdline: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 552 cmdline: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_AutoUnattend_xml')[1];" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • Dism.exe (PID: 1984 cmdline: dism /cleanup-wim MD5: EBCC4E59DE824F22C090F20168FB5EAE)
      • powershell.exe (PID: 2072 cmdline: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]Assisted_MCT')[1];" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MediaCreationTool11_23H2.exe (PID: 6776 cmdline: "C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept MD5: 25C9285C00EF7D41B28823A053A9A372)
          • SetupHost.exe (PID: 3608 cmdline: "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web /Eula Accept /Selfhost "/Action" "CreateMedia" "/MediaLangCode" "en-US" "/MediaEdition" "Enterprise" "/MediaArch" "x64" "/Pkey" "Defer" "/Compat" "IgnoreWarning" "/MigrateDrivers" "All" "/ResizeRecoveryPartition" "Disable" "/ShowOOBE" "None" "/Telemetry" "Disable" "/CompactOS" "Disable" "/DynamicUpdate" "Disable" "/SkipSummary" MD5: ED6DA1611D817426E4B7DE89FE458F76)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
MediaCreationTool.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    MediaCreationTool.batJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ESD\MediaCreationTool.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        C:\ESD\MediaCreationTool.batJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          Process Memory Space: Robocopy.exe PID: 6920JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_4216.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi64_1388.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];", CommandLine: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" set, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6764, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];", ProcessId: 640, ProcessName: powershell.exe
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 640, TargetFilename: C:\ESD\MCT\auto.cmd
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)", CommandLine: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6544, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)", ProcessId: 6960, ProcessName: powershell.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results
                Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setuperr.log
                Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setupact.log
                Source: Binary string: diagtrackrunner.pdb source: DiagTrackRunner.exe.98.dr
                Source: Binary string: SetupCore.pdbGCTL source: SetupCore.dll.98.dr
                Source: Binary string: unattend.pdb source: unattend.dll.98.dr
                Source: Binary string: bootsvc.pdb source: bootsvc.dll.98.dr
                Source: Binary string: unbcl.pdbGCTL source: unbcl.dll.98.dr
                Source: Binary string: ServicingCommon.pdbGCTL source: ServicingCommon.dll.98.dr
                Source: Binary string: MediaSetupUIMgr.pdb source: MediaSetupUIMgr.dll.98.dr
                Source: Binary string: wimgapi.pdb source: wimgapi.dll.98.dr
                Source: Binary string: SetupPlatform.pdb source: setupplatform.dll.98.dr
                Source: Binary string: wpx.pdbGCTL source: wpx.dll.98.dr
                Source: Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 00000063.00000000.1700326395.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, SetupHost.exe.98.dr
                Source: Binary string: wdscore.pdbGCTL source: SetupHost.exe, 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, wdscore.dll.98.dr
                Source: Binary string: SetupPlatform.pdbGCTL source: setupplatform.dll.98.dr
                Source: Binary string: HwReqChk.pdb source: hwreqchk.dll.98.dr
                Source: Binary string: MediaSetupUIMgr.pdbGCTL source: MediaSetupUIMgr.dll.98.dr
                Source: Binary string: utcapi.pdb source: utcapi.dll.98.dr
                Source: Binary string: diagER.pdb source: Diager.dll.98.dr
                Source: Binary string: SetupPrep.pdb source: MediaCreationTool11_23H2.exe, 00000062.00000003.1683461084.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684947549.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000000.1682118339.00000000003B1000.00000020.00000001.01000000.0000000A.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684604372.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WinDlp.pdbGCTL source: WinDlp.dll.98.dr
                Source: Binary string: .ni.pdb source: wdsutil.dll.98.dr
                Source: Binary string: diagtrack.pdbGCTL source: DiagTrack.dll.98.dr
                Source: Binary string: HwReqChk.pdbGCTL source: hwreqchk.dll.98.dr
                Source: Binary string: bootsvc.pdbGCTL source: bootsvc.dll.98.dr
                Source: Binary string: SetupPrep.pdbGCTL source: MediaCreationTool11_23H2.exe, 00000062.00000003.1683461084.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684947549.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000000.1682118339.00000000003B1000.00000020.00000001.01000000.0000000A.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684604372.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wdsutil.pdb source: wdsutil.dll.98.dr
                Source: Binary string: diagER.pdbGCTL source: Diager.dll.98.dr
                Source: Binary string: wpx.pdb source: wpx.dll.98.dr
                Source: Binary string: wimgapi.pdbGCTL source: wimgapi.dll.98.dr
                Source: Binary string: utcapi.pdbGCTL source: utcapi.dll.98.dr
                Source: Binary string: diagtrack.pdb source: DiagTrack.dll.98.dr
                Source: Binary string: ))q("[^"]*")|('[^']*')w([a-zA-Z]+)z([0-9]+)\StringFileInfo\%04X%04X\%ws\VarFileInfo\Translation.ni.pdbCreateFile failed: %dCreateFileMapping failed: %dMapViewOfFileEx failed: %d source: wdsutil.dll.98.dr
                Source: Binary string: WinDlp.pdb source: WinDlp.dll.98.dr
                Source: Binary string: unbcl.pdb source: unbcl.dll.98.dr
                Source: Binary string: du.pdbGCTL source: DU.dll.98.dr
                Source: Binary string: wdscore.pdb source: SetupHost.exe, SetupHost.exe, 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, wdscore.dll.98.dr
                Source: Binary string: SetupHost.pdb source: SetupHost.exe, 00000063.00000000.1700326395.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, SetupHost.exe.98.dr
                Source: Binary string: SetupCore.pdb source: SetupCore.dll.98.dr
                Source: Binary string: du.pdb source: DU.dll.98.dr
                Source: Binary string: diagtrackrunner.pdbGCTL source: DiagTrackRunner.exe.98.dr
                Source: Binary string: wdsutil.pdbGCTL source: wdsutil.dll.98.dr
                Source: Binary string: ServicingCommon.pdb source: ServicingCommon.dll.98.dr
                Source: Binary string: unattend.pdbGCTL source: unattend.dll.98.dr
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7036EA08 FindFirstFileW,wcsncmp,_wtoi,_wtoi,FindNextFileW,GetLastError,GetLastError,WdsSetupLogMessageW,99_2_7036EA08
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703727A0 FindFirstFileW,99_2_703727A0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70372580 GetLogicalDriveStringsW,99_2_70372580
                Source: Robocopy.exe, 00000020.00000002.1232637155.000002244E29C000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool.bat, MediaCreationTool.bat.32.drString found in binary or memory: http://b1.download.windowsupdate.com/
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/azurestackhciupgrade
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/azurestackhciupgrade#
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/azurestackhciupgrade(Instalacijski
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/azurestackhciupgrade)
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/azurestackhciupgrade.
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgrade
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgrade.
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgrade5
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgrade7
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradea
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradejEr
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradeoDet
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradeuSorry
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradewVi
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradey
                Source: MediaSetupUIMgr.dll.98.drString found in binary or memory: https://aka.ms/windowsserverupgradez
                Source: MediaCreationTool11_23H2.exe, 00000062.00000002.2474844921.0000000002E40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.microsoft.
                Source: reg.exeProcess created: 62
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703888F1: GetProcessHeap,HeapAlloc,memcpy,DeviceIoControl,99_2_703888F1
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\Windows\Logs\MoSetup\BlueBox.log
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70370B7099_2_70370B70
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70374EE099_2_70374EE0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703706E099_2_703706E0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703616DC99_2_703616DC
                Source: C:\Windows\System32\Robocopy.exeProcess token adjusted: SecurityJump to behavior
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 703896A4 appears 84 times
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 703692A2 appears 159 times
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: String function: 70389820 appears 32 times
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_STRING type: PDP-11 overlaid separate executable not stripped
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_STRING type: 370 sysV executable not stripped
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: MediaSetupUIMgr.dll.98.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: SetupCore.dll.98.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: SetupCore.dll.98.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
                Source: wimgapi.dll.98.drBinary string: klmCXmlNamespaceManager::InitializeRtlNsInitialize(this, Comparison, pvCompareContext, Alloc)CXmlLogicalState::InitializeRtlXmlInitializeNextLogicalThing(this, &Init)CXmlCursor::XmlAlloc*ppvAlloc = RtlAllocateHeap((((PPEB)__readfsdword(((LONG)(LONG_PTR)&(((TEB *)0)->ProcessEnvironmentBlock))))->ProcessHeap), 0, cb)CXmlCursor::CompareExtentsRtlXmlDefaultCompareStrings(&m_State.ParseState, Left, Right, pResult)onecore\base\xml\udom_xmlcursor.cppCXmlCursor::NextRtlXmlNextLogicalThing( &m_State, &m_Namespaces, &m_CurrentThing, &m_AttributeList )CXmlCursor::DecodeExtent::RtlXmlExtentToUtf8String( 0, &m_State.ParseState.RawTokenState, &Src, TempString.GetMutablePointer(), &cRequired)CRtlGrowingList<struct _XMLDOC_ATTRIBUTE,50,6>::InitializeRtlInitializeGrowingList( this, sizeof(TStoredObject), m_ulElementsPerChunk, (PVOID)m_InternalBuffer, sizeof(m_InternalBuffer), Allocator )WdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u msWdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%xWdsCopyFileEx: Failed to delete %s. GLE = 0x%xkernel32.dllapi-ms-win-core-file-l1-2-2.dllFindFirstFileNameWFindNextFileNameWDeleteFileEx: Unable to verify path redirection on [%s]; GLE = 0x%xDeleteFileEx: Unable to allocate hardlink path bufferDeleteFileEx: Will not restore attributes on hardlinks of [%s]DeleteFileEx: Unable to remove [%s]; GLE = 0x%xDeleteFileEx: Trying to set back attributes on hardlink given: %sDeleteFileEx: Unable to restore attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to open [%s]; GLE = 0x%xDeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to get information on [%s]; GLE = 0x%xDeleteFileEx: Spoofing detected deleting [%s] -> [%s]DeleteFileEx: Unable to delete [%s]; GLE = 0x%xDeleteFileEx: Unable to prepare Unicode path for [%s]; GLE = 0x%xDeleteFileEx: Unable to form long path name for [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to clear attributes on [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to remove directory [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to prepare path [%s]; GLE = 0x%x\\?\GLOBALROOT\\?\UNC\Device\HarddiskVolume\Device\HarddiskPartitionCreatePath: Unable to create [%s]; GLE = 0x%x\\\\?\UNC\EnumeratePathEx: Unable to get reparse tag for persistent reparse point; GLE = 0x%xEnumeratePathEx: Unable to enumerate [%s]; GLE = 0x%xEnumeratePathEx: Callback requested enumeration interruption or hit internal enumeration failure on [%s]; GLE = 0x%xEnumeratePathEx: Unable to construct path under [%s]; GLE = 0x%xEnumeratePathEx: FindFirstFile failed for [%s]; GLE = 0x%xEnumeratePathEx: Failed search path is >= MAX_PATH!DeletePathDirectoryCallback: Spoofing detected deleting [%s] -> [%s]<unavailable>sDeletePathEngine: Hit %u failure%s during recursive deletion of [%s]; 1st error = 0x%x, cd = [%s]DeletePath: Cannot delete <null>.DeletePath: [%s] doesn't exist as a directory; nothing to delete.DeletePath: Failed to get desired paths for [%s] (GLE = 0x%x)DeletePath:
                Source: bootsvc.dll.98.drBinary string: ;Copying object. Flags: 0x%xFailed to acquire BCD sync mutant. Status: %xBcdCopyObjectEx: Failed to get object description Flags: 0x%x Status: %xBcdCopyObjectEx: Failed to get generate object guid. Flags: 0x%x Status: %xBcdCopyObjectEx: Failed to get object identifier. Flags: 0x%x Status: %xFailed to convert guid to string. Status: %xBcdCopyObjectEx: Failed to create object. Target: %ws Flags: 0x%x Status: %xBcdCopyObjectEx: Failed to set firmware object. Target: %ws Flags: 0x%x Status: %xBcdCopyObjectEx: Failed to enumerate source elements. Target: %ws Flags: 0x%x Status: %xBcdCopyObjectEx: Failed to set target elements. Target: %ws Flags: 0x%x Element type: %lu Status: %xBcdCopyObjectEx: Failed to copy object. Target: %ws Flags: 0x%x Status: %xCopying objects. Version: %d. Type: 0x%08xFailed to enumerate objects. Status: %xN/ABcdGetElementDataWithFlags: Failed to acquire BCD sync mutant. Status: %xBcdGetElementDataWithFlags: Failed to open elements key.Object: %ws Status: %xBcdGetElementDataWithFlags: Failed to open key.Object: %ws Type: %ws Status: %xElementBcdGetElementDataWithFlags: Failed to get registry value.Object: %ws Reg type: %lu Status: %xSetting element %08xFailed filtering for element %08x. Status: 0x%xFailed to open key for object's elements. Status: %xFailed to open key for element %s. Status: %xFailed to convert data for element %s. Status: %xFailed to set registry data for element %s. Status: %xDeleting element %08xDeleting element %08x blocked by secure boot policy.Failed to filter delete element %08x. Status: %xFailed to open key for all object's elements. Status: %xFailed to open element %ws key for delete. Status: %xInsufficient length for BCD element. Length %lu Required %lu DataType: %luUnexpected length for BCD element. Length %lu Expected: %lu DataType: %luFailed to resolve locate. Status: %xExceeded length for BCD element. Length %lu Expected: %lu DataType: %luUnexpected length for BCD element. Length %lu DataType: %luString not multiple of WCHAR. Length %lu DataType: %luFailed to open object %ws. Status: %xFailed to Enumerate elements from %ws. Status: %xFailed to enumerate subkeys. Status: %xDropping invalid data type. Element: %wsFailed to get registry value. Element: %ws Status: %xFailed to get the size needed for the registry data. Element: %ws, Status: %xFailed to enumerate subelements. Status: %xFailed to enumerate subobject elements. Status: %xSystem store path: %sFailed to get system partition. Status: %xSystem partition: %sFirmwareVariableFirmwareBootDeviceWindowsSysPartDeviceFailed open key %ws. Status: %xFailed to acquire permissions to load hive. Status: %xFailed load key %ws. Flags: 0x%x File: %s Status: %xFailed open newly loaded key %ws. Flags: 0x%x Status: %x%s\%sUnexpected type for BCD element. Expected type: 0x%x Actual type: 0x%xZwUnloadKey2ZwLoadKey2\Registry\Machine\System\CurrentControlSet\Control\MiniNT\Registry\Machine\SYSTEM\CurrentControlSet\ControlPortableOperatingSystemSystemStartOptionsMI
                Source: unattend.dll.98.drBinary string: klmPartitionWdsSetupLogInitWdsGenericSetupLogInitWdsSetupLogDestroyWdsSetupLogMessageAWdsSetupLogMessageWConstructPartialMsgVAConstructPartialMsgVWCurrentIPwdscore.dll<unknown>[%S] %SUnattendLogWVonecore\base\ntsetup\lib\unattendlog\src\unattendlog.cppD\\.\?:\ArcName\\?\GLOBALROOT\\?\Volume{\\?\UNC\Device\HarddiskVolume\Device\Harddisk\\\\?\UNC\
                Source: WinDlp.dll.98.drBinary string: qAxelRZwFilterBootOptionBinding EFI namespace objectsBiBindEfiNamespaceObjects failed %xExporting store alterations to efiBiExportStoreAlterationsToEfi failed %x\EFI\Microsoft\Boot\BCDBiBuildIdentifierList failed %xBiBindEfiBootManager failed %xBoot entry exists for DontSync with ID 0x%xBiBindEfiEntries failed %xCreated boot entry 0x%x using cached variableCreated new boot entry 0x%xBiCreateEfiEntry failed %xBiExportBcdObjects failed %xTimeoutBootNextBiExportEfiBootManager failed: %xBiSpacesUpdatePhysicalDevicePath null APPLICATION DEVICESyspartIsSpace failed for %s\??\GLOBALROOTSyspartGetPhysicalPartitions failed with error code: %x\Device\Harddisk%u\Partition%uBiSpacesUpdatePhysicalDevicePath failed %xBiUpdateEfiEntry failed %xWINDOWSBCDOBJECT=Translated a DontSync entry with ID 0x%xTranslated a DontSync object to ID 0x%xSyspartIsSpace failed for partition path: %sBiCreateBootEntry: Could not retrieve BCD Object application description. Status: %xBiCreateBootEntry: Could not retrieve BCD Object application device. Status: %xBiCreateBootEntry: Could not retrieve BCD Object application path. Status: %xZwAddBootEntryFailed to add boot entry. Status: %xZwEnumerateBootEntriesFailed to enumerate boot entries. Status: %xDeleting boot entry 0x%xZwDeleteBootEntryFailed to delete boot entry 0x%x. Status: %xZwQuerySystemEnvironmentValueExZwSetSystemEnvironmentValueExFailed to query "%ws" variable. Status: %xFailed to delete "%ws" variable. Status: %xZwModifyBootEntryFailed to modify boot entry 0x%x. Status: %xZwSetBootEntryOrderFailed to set boot entry order. Status: %xZwSetBootOptionsFailed to set boot options. Status: %xZwTranslateFilePathZwQueryBootEntryOrderFailed to query boot entry order. Status: %xZwQueryBootOptionsFailed to query boot options. Status: %x\Boot\BCD
                Source: bootsvc.dll.98.drBinary string: WdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u msWdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%xWdsCopyFileEx: Failed to delete %s. GLE = 0x%xkernel32.dllapi-ms-win-core-file-l1-2-2.dllFindFirstFileNameWFindNextFileNameWDeleteFileEx: Unable to allocate hardlink path bufferDeleteFileEx: Will not restore attributes on hardlinks of [%s]DeleteFileEx: Unable to remove [%s]; GLE = 0x%xDeleteFileEx: Trying to set back attributes on hardlink given: %sDeleteFileEx: Unable to restore attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to open [%s]; GLE = 0x%xDeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to get information on [%s]; GLE = 0x%xDeleteFileEx: Unable to delete [%s]; GLE = 0x%xDeleteFileEx: Unable to prepare Unicode path for [%s]; GLE = 0x%xDeleteFileEx: Unable to form long path name for [%s]; GLE = 0x%x\\?\Volume{\\?\UNC\Device\HarddiskPartitionCreatePath: Unable to create [%s]; GLE = 0x%x\\\\?\UNC\ENDEJAKOTWCNFRESBRITNLSVDAFIHUNOELPLRUCSPTTRSKSLARHEEUISsr-Latn-CSsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbs-BA-Latnzh-Hantzh-CHTzh-Hanszh-CHSMUI%s\%s\%s.mui%s\%s.mui.\%s\%s.mui.\%s.mui
                Source: bootsvc.dll.98.drBinary string: qAxelRGuidCacheBinding EFI namespace objectsBiBindEfiNamespaceObjects failed %xExporting store alterations to efiBiExportStoreAlterationsToEfi failed %xExporting store to efiBiExportStoreToEfi failed %xBiBuildIdentifierList failed %xBiBindEfiBootManager failed %xBoot entry exists for DontSync with ID 0x%xBiBindEfiEntries failed %xCreated boot entry 0x%x using cached variableCreated new boot entry 0x%xBiCreateEfiEntry failed %xBiExportBcdObjects failed %xTimeoutBootNextBiExportEfiBootManager failed: %xBiSpacesUpdatePhysicalDevicePath null APPLICATION DEVICESyspartIsSpace failed for %s\??\GLOBALROOTSyspartGetPhysicalPartitions failed with error code: %x\Device\Harddisk%u\Partition%uBiSpacesUpdatePhysicalDevicePath failed %xBiUpdateEfiEntry failed %xWINDOWSBCDOBJECT=Translated a DontSync entry with ID 0x%xTranslated a DontSync object to ID 0x%xSyspartIsSpace failed for partition path: %sBiCreateBootEntry: Could not retrieve BCD Object application description. Status: %xBiCreateBootEntry: Could not retrieve BCD Object application device. Status: %xBiCreateBootEntry: Could not retrieve BCD Object application path. Status: %xZwAddBootEntryFailed to add boot entry. Status: %xZwEnumerateBootEntriesFailed to enumerate boot entries. Status: %xDeleting boot entry 0x%xZwDeleteBootEntryFailed to delete boot entry 0x%x. Status: %xZwQuerySystemEnvironmentValueExZwSetSystemEnvironmentValueExFailed to query "%ws" variable. Status: %xFailed to delete "%ws" variable. Status: %xZwModifyBootEntryFailed to modify boot entry 0x%x. Status: %xZwSetBootEntryOrderFailed to set boot entry order. Status: %xZwSetBootOptionsFailed to set boot options. Status: %xZwTranslateFilePathZwQueryBootEntryOrderFailed to query boot entry order. Status: %xZwQueryBootOptionsFailed to query boot options. Status: %x\Boot\BCDmulti(%d)disk(%d)rdisk(%d)partition(%d)\ArcName\\??\PhysicalDrive%d\Registry\Machine\SYSTEM\CurrentControlSet\Control\SyspartSystemPartition\Device\Harddisk%lu\Partition%lu\EFI\Microsoft\Boot\bootmgfw.efi\ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)\Partition0%s\Partition%lumulti(%d)disk(%d)rdisk(%d)
                Source: wdsutil.dll.98.drBinary string: \??\\\??\\\?\GLOBALROOT\DriverStores\BSPDRIVERS\DriverStores\BSPDRIVERS\SystemRoot\\Device\LanmanRedirector\\Device\Mup\\\?\VMSMB\\Device\vmsmb\\GLOBAL??\vector<T> too long%ws\drivers\%ws\%ws\FI_UNKNOWN%wc:%ws%ws%ws
                Source: wdsutil.dll.98.drBinary string: \Device\
                Source: DiagTrack.dll.98.drBinary string: @%DiagtrackStorageRoot%\ETLLogsConsumerDroppedProviderCounts_0DecodingDroppedProviderCounts_0DiagTrackETWLoggerDiagtrack-ListenerAutoLogger-Diagtrack-Listener{11D8A17B-F2D8-4733-B41B-6F4959ACD701}%DiagtrackStorageRoot%\ETLLogs\AutoLogger%DiagtrackStorageRoot%\ETLLogs\ShutdownLogger%DiagtrackStorageRoot%\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl%DiagtrackStorageRoot%\ETLLogs\ShutdownLogger\AutoLogger-Diagtrack-Listener.etl:$ETLUNIQUECVDATAHybridLatencySwapMillisbase\diagnosis\diagtrack\extension\lib\coreexternal\etwconsumer.cppLoggerFlushTimeUseMsFlushTimerMinBuffersMaxBuffersBufferSizeKbFailed to stop ETW tracing session (before starting a fresh session)Failed to start ETW tracing sessionFailed to open ETW traceFailed to process ETW traceFailed to stop ETW traceFailed to stop AutoLogger ETW tracing session (before starting a fresh session)Failed to start ETW tracing session for Shutdown logger.producerMapFailed to open ETW trace while processing etl file.DisableProviderGroupsFailed to enable ETW provider: %sFailed to disable ETW provider: %sFailed to set ETW session disallow list|iKeybad allocationgetfileactionGetFileActiongetmemoryinfoactionGetMemoryInfoActiongetprocessdumpactionGetProcessDumpActiongetregkeyactionGetRegKeyActionsetregkeyactionSetRegKeyActiongetwnfstateactionGetWNFStateActionsnapalwaysontraceactionSnapAlwaysOnTraceActionsnaptraceactionSnapTraceActionstarttraceactionStartTraceActionstoptraceactionStopTraceActiontoggletraceactionToggleTraceActiontoggletracewithcustomfilteractionToggleTraceWithCustomFilterActiondelayactionDelayActionradaractionRADARActionrunexewithargsactionRunExeWithArgsActiongetkerneldumpactionGetKernelDumpActiondualtriggerpropertyfilterDualPropertyFilterfileinfofilterFileInfoFilterregistryfilterRegistryKeyFilterservicestatusfilterServiceStatusFiltersingletriggerpropertyfilterSinglePropertyFiltertelemetryprotocolfilterTelemetryProtocolFilteretwtriggerETWLastBootTimeIsACOnIsEscalationInProgressIsKernelDebuggerPresentLastPowerSourceChangeTimeAppIdIsContinuumSessionActiveBuildStringPhoneWindowsbase\diagnosis\diagtrack\extension\lib\coreexternal\etwtrigger.cppproviderkeywordslevel id= ver= name= type=%hdetw_cVProcessStartedAppStateChangeAppInteractivitybase\diagnosis\diagtrack\extension\lib\coreexternal\appidmetadata.cppInstanceIdProcessStartKeySessionIdSessionCreateTimeInstanceStartTimeCommandLineUserSidImageFileNamePackageNamePRAIDImageChecksumImageTimeDateStampTSIdaepic.dllPicRetrieveFileInfoPicFreeFileInfo\\?\GLOBALROOT\Device\Mup\0000da39a3ee5e6b4b0d3255bfef95601890afd80709U:W:%04d/%02d/%02d:%02d:%02d:%02dapi-ms-win-security-lsalookup-l1-1-2.dllLsaLookupUserAccountTypeS-1-5-21-S-1-12-1-tdh.dllapi-ms-win-eventing-tdh-l1-1-0.dllTdhGetEventInformation] TdhFacade_ProviderStats_1ProviderCountTotalSizeProviderStatsbase\diagnosis\diagtrack\extension\lib\coreexternal\tdhfacade.cppxpfTdhLoadManifest.Length.Count%ubase\diagnosis\diagtrack\extension\lib\coreexternal\etwforwarder.cppTelClientSynthetic.__metadataTe
                Source: ServicingCommon.dll.98.drBinary string: !"#$%&'()*+,-./0123onecore\base\lstring\path.cppRtlConvertWin32RegistryPathToNtRegistryPathUserNot-null check failed: PathInNot-null check failed: PathOutHKEY_CURRENT_USERHKCURtlFormatCurrentUserKeyPath(UserProfilePath.GetMutablePointer())PathOut->Length != 0RtlConvertWin32RegistryPathToNtRegistryPathWithSidRtlSplitWin32RegistryPathIntoRootAndLeavesNot-null check failed: Win32RegistryPathNot-null check failed: KeyRootNot-null check failed: RootRelativePathRtlConvertWin32FilePathToNtFilePathPathIn->Length >= 2 * sizeof(WCHAR)(PathIn->Length > 4 * sizeof(WCHAR)) && (PathIn->Buffer[3] == L'\\')RtlConvertNtRegistryPathToWin32RegistryPathRtlConvertNtFilePathToWin32FilePath\??\UNC\\\\??\HardDisk\\?\HardDisk\??\Volume\\?\Volume\??\\DosDevices\UNC\\DosDevices\\SystemRoot\Device\HarddiskVolume\\?\HarddiskVolume\Device\MupRtlTrimNtPathSegmentRtlIsLUnicodeStringValid(Segment)RtlCombineNtPathSegments(PathSegmentCount == 0) || (PathSegments != 0)BytesLeft >= sizeof(WCHAR)BytesLeft >= BytesToCopyFlags == 0onecore\base\lstring\ucsdecoders.cpp(Count == 0) || (Data != 0)RtlGetCharacterSetDecoderTempDecoder != 0
                Source: SetupHost.exe.98.drBinary string: kernel32.dllWdsCopyFileEx: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u msWdsCopyFileEx: Failed to strip file attributes for %s, will delete. GLE = 0x%xWdsCopyFileEx: Failed to delete %s. GLE = 0x%xapi-ms-win-core-file-l1-2-2.dllFindFirstFileNameWFindNextFileNameWDeleteFileEx: Unable to verify path redirection on [%s]; GLE = 0x%xDeleteFileEx: Unable to allocate hardlink path bufferDeleteFileEx: Will not restore attributes on hardlinks of [%s]DeleteFileEx: Unable to remove [%s]; GLE = 0x%xDeleteFileEx: Trying to set back attributes on hardlink given: %sDeleteFileEx: Unable to restore attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to open [%s]; GLE = 0x%xDeleteFileEx: Unable to clear out attributes on [%s]; GLE = 0x%xDeleteFileEx: Unable to get information on [%s]; GLE = 0x%xDeleteFileEx: Spoofing detected deleting [%s] -> [%s]DeleteFileEx: Unable to delete [%s]; GLE = 0x%xDeleteFileEx: Unable to prepare Unicode path for [%s]; GLE = 0x%xDeleteFileEx: Unable to form long path name for [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to clear attributes on [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to remove directory [%s]; GLE = 0x%xWdsRemoveDirectory: Unable to prepare path [%s]; GLE = 0x%xSYSTEM\CurrentControlSet\Control\MiniNT\\?\GLOBALROOT\\?\Volume{\\?\UNC\Device\HarddiskVolume\Device\HarddiskPartitionCreatePath: Unable to create [%s]; GLE = 0x%x\\?\UNC\FileVersion\VarFileInfo\Translation\StringFileInfo\%04X%04X\%sEnumeratePathEx: Unable to get reparse tag for persistent reparse point; GLE = 0x%x*..EnumeratePathEx: Unable to enumerate [%s]; GLE = 0x%xEnumeratePathEx: Callback requested enumeration interruption or hit internal enumeration failure on [%s]; GLE = 0x%xEnumeratePathEx: Unable to construct path under [%s]; GLE = 0x%xEnumeratePathEx: FindFirstFile failed for [%s]; GLE = 0x%xEnumeratePathEx: Failed search path is >= MAX_PATH!DeletePathDirectoryCallback: Spoofing detected deleting [%s] -> [%s]<unavailable>sDeletePathEngine: Hit %u failure%s during recursive deletion of [%s]; 1st error = 0x%x, cd = [%s]DeletePath: Cannot delete <null>.DeletePath: [%s] doesn't exist as a directory; nothing to delete.DeletePath: Failed to get desired paths for [%s] (GLE = 0x%x)DeletePath: Full path [%s]DeletePath: Long path [%s]DeletePath: Final path [%s]DeletePath: Attempting to obliterate [%s] (final path [%s]).DeletePath: Failed to obliterate [%s] (GLE = 0x%x); retrying...DeletePath: Failed to obliterate [%s] after %u tries; GLE = 0x%xCopyDirectoryDirCallback: The copy was canceled by the user.CopyDirectoryFileCallback: The copy was canceled by the user.user32.dllSendMessageWmovecopyCopyDirectoryFileCallback: Unable to %s file from [%s] to [%s]; GLE = 0x%xCopyDirectoryEx2: Specified directory [%s] doesn't existCopyDirectoryEx2: Failed to copy [%s] to [%s], GLE = 0x%x; will retry in %u ms; am on try %u.\\?\\Device
                Source: classification engineClassification label: mal72.evad.winBAT@170/119@0/0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703800A0 ConstructPartialMsgVW,GetLastError,FormatMessageW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,LocalFree,SetLastError,99_2_703800A0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70372AE0 GetDiskFreeSpaceW,99_2_70372AE0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70382E73 LoadResource,LockResource,SizeofResource,99_2_70382E73
                Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\cJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
                Source: C:\$Windows.~WS\Sources\SetupHost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\SetupLog
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Microsoft.Windows.Websetup
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
                Source: C:\$Windows.~WS\Sources\SetupHost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1duzznxq.rpp.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MediaCreationTool.bat" "
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.ini
                Source: C:\Windows\System32\chcp.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MediaCreationTool.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\Users\user\Desktop\/" "C:\ESD/" "MediaCreationTool.bat"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" set
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:f0 " Detected Media "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "can rename script: "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fltMC.exe fltmc
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD" /D
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\expand.exe expand.exe -R products11_23H2.cab -F:* .
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:0f " Auto Upgrade "\..\c nul
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:PRODUCTS_XML\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1';iex($0+$1)"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\makecab.exe makecab products.xml products.cab
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_AutoUnattend_xml')[1];"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Dism.exe dism /cleanup-wim
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]Assisted_MCT')[1];"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ESD\MCT\MediaCreationTool11_23H2.exe "C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web /Eula Accept /Selfhost "/Action" "CreateMedia" "/MediaLangCode" "en-US" "/MediaEdition" "Enterprise" "/MediaArch" "x64" "/Pkey" "Defer" "/Compat" "IgnoreWarning" "/MigrateDrivers" "All" "/ResizeRecoveryPartition" "Disable" "/ShowOOBE" "None" "/Telemetry" "Disable" "/CompactOS" "Disable" "/DynamicUpdate" "Disable" "/SkipSummary"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\Users\user\Desktop\/" "C:\ESD/" "MediaCreationTool.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" setJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /dJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:f0 " Detected Media "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "can rename script: "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fltMC.exe fltmcJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\expand.exe expand.exe -R products11_23H2.cab -F:* .Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:0f " Auto Upgrade "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:PRODUCTS_XML\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1';iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\makecab.exe makecab products.xml products.cabJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_AutoUnattend_xml')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Dism.exe dism /cleanup-wimJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]Assisted_MCT')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /dJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ESD\MCT\MediaCreationTool11_23H2.exe "C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web /Eula Accept /Selfhost "/Action" "CreateMedia" "/MediaLangCode" "en-US" "/MediaEdition" "Enterprise" "/MediaArch" "x64" "/Pkey" "Defer" "/Compat" "IgnoreWarning" "/MigrateDrivers" "All" "/ResizeRecoveryPartition" "Disable" "/ShowOOBE" "None" "/Telemetry" "Disable" "/CompactOS" "Disable" "/DynamicUpdate" "Disable" "/SkipSummary"
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                Source: C:\Windows\System32\Robocopy.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\Robocopy.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                Source: C:\Windows\System32\Robocopy.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\reg.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\fltMC.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\fltMC.exeSection loaded: fltlib.dll
                Source: C:\Windows\System32\fltMC.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\attrib.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bitsproxy.dll
                Source: C:\Windows\System32\expand.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\expand.exeSection loaded: cabinet.dll
                Source: C:\Windows\System32\expand.exeSection loaded: dpx.dll
                Source: C:\Windows\System32\expand.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\expand.exeSection loaded: wdscore.dll
                Source: C:\Windows\System32\expand.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\expand.exeSection loaded: dbgcore.dll
                Source: C:\Windows\System32\expand.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\expand.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\findstr.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\makecab.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\makecab.exeSection loaded: cabinet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: version.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: dismcore.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: dbghelp.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: dbgcore.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: wdscore.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\Dism.exeSection loaded: wimgapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uiautomationcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: mfc42u.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: userenv.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: wtsapi32.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: wdscore.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: fltlib.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: cabinet.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: version.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: wimgapi.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: riched32.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: riched20.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: usp10.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: msls31.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: kernel.appcore.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: ntmarta.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeSection loaded: apphelp.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wdscore.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winhttp.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: fltlib.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: cabinet.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wtsapi32.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: version.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: kernel.appcore.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winbrand.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wldp.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dbghelp.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: dbgcore.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: winbrand.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: wldp.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: slc.dll
                Source: C:\$Windows.~WS\Sources\SetupHost.exeSection loaded: sppc.dll
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile opened: C:\Windows\SysWOW64\riched32.dll
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: Binary string: diagtrackrunner.pdb source: DiagTrackRunner.exe.98.dr
                Source: Binary string: SetupCore.pdbGCTL source: SetupCore.dll.98.dr
                Source: Binary string: unattend.pdb source: unattend.dll.98.dr
                Source: Binary string: bootsvc.pdb source: bootsvc.dll.98.dr
                Source: Binary string: unbcl.pdbGCTL source: unbcl.dll.98.dr
                Source: Binary string: ServicingCommon.pdbGCTL source: ServicingCommon.dll.98.dr
                Source: Binary string: MediaSetupUIMgr.pdb source: MediaSetupUIMgr.dll.98.dr
                Source: Binary string: wimgapi.pdb source: wimgapi.dll.98.dr
                Source: Binary string: SetupPlatform.pdb source: setupplatform.dll.98.dr
                Source: Binary string: wpx.pdbGCTL source: wpx.dll.98.dr
                Source: Binary string: SetupHost.pdbGCTL source: SetupHost.exe, 00000063.00000000.1700326395.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, SetupHost.exe.98.dr
                Source: Binary string: wdscore.pdbGCTL source: SetupHost.exe, 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, wdscore.dll.98.dr
                Source: Binary string: SetupPlatform.pdbGCTL source: setupplatform.dll.98.dr
                Source: Binary string: HwReqChk.pdb source: hwreqchk.dll.98.dr
                Source: Binary string: MediaSetupUIMgr.pdbGCTL source: MediaSetupUIMgr.dll.98.dr
                Source: Binary string: utcapi.pdb source: utcapi.dll.98.dr
                Source: Binary string: diagER.pdb source: Diager.dll.98.dr
                Source: Binary string: SetupPrep.pdb source: MediaCreationTool11_23H2.exe, 00000062.00000003.1683461084.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684947549.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000000.1682118339.00000000003B1000.00000020.00000001.01000000.0000000A.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684604372.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WinDlp.pdbGCTL source: WinDlp.dll.98.dr
                Source: Binary string: .ni.pdb source: wdsutil.dll.98.dr
                Source: Binary string: diagtrack.pdbGCTL source: DiagTrack.dll.98.dr
                Source: Binary string: HwReqChk.pdbGCTL source: hwreqchk.dll.98.dr
                Source: Binary string: bootsvc.pdbGCTL source: bootsvc.dll.98.dr
                Source: Binary string: SetupPrep.pdbGCTL source: MediaCreationTool11_23H2.exe, 00000062.00000003.1683461084.0000000004A10000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684947549.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000000.1682118339.00000000003B1000.00000020.00000001.01000000.0000000A.sdmp, MediaCreationTool11_23H2.exe, 00000062.00000003.1684604372.0000000002C07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wdsutil.pdb source: wdsutil.dll.98.dr
                Source: Binary string: diagER.pdbGCTL source: Diager.dll.98.dr
                Source: Binary string: wpx.pdb source: wpx.dll.98.dr
                Source: Binary string: wimgapi.pdbGCTL source: wimgapi.dll.98.dr
                Source: Binary string: utcapi.pdbGCTL source: utcapi.dll.98.dr
                Source: Binary string: diagtrack.pdb source: DiagTrack.dll.98.dr
                Source: Binary string: ))q("[^"]*")|('[^']*')w([a-zA-Z]+)z([0-9]+)\StringFileInfo\%04X%04X\%ws\VarFileInfo\Translation.ni.pdbCreateFile failed: %dCreateFileMapping failed: %dMapViewOfFileEx failed: %d source: wdsutil.dll.98.dr
                Source: Binary string: WinDlp.pdb source: WinDlp.dll.98.dr
                Source: Binary string: unbcl.pdb source: unbcl.dll.98.dr
                Source: Binary string: du.pdbGCTL source: DU.dll.98.dr
                Source: Binary string: wdscore.pdb source: SetupHost.exe, SetupHost.exe, 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, wdscore.dll.98.dr
                Source: Binary string: SetupHost.pdb source: SetupHost.exe, 00000063.00000000.1700326395.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, SetupHost.exe.98.dr
                Source: Binary string: SetupCore.pdb source: SetupCore.dll.98.dr
                Source: Binary string: du.pdb source: DU.dll.98.dr
                Source: Binary string: diagtrackrunner.pdbGCTL source: DiagTrackRunner.exe.98.dr
                Source: Binary string: wdsutil.pdbGCTL source: wdsutil.dll.98.dr
                Source: Binary string: ServicingCommon.pdb source: ServicingCommon.dll.98.dr
                Source: Binary string: unattend.pdbGCTL source: unattend.dll.98.dr
                Source: bootsvc.dll.98.drStatic PE information: 0xCA465156 [Thu Jul 15 20:19:34 2077 UTC]
                Source: Diager.dll.98.drStatic PE information: section name: .didat
                Source: ServicingCommon.dll.98.drStatic PE information: section name: .didat
                Source: setupplatform.dll.98.drStatic PE information: section name: .didat
                Source: unbcl.dll.98.drStatic PE information: section name: .didat
                Source: wdsutil.dll.98.drStatic PE information: section name: .didat
                Source: wpx.dll.98.drStatic PE information: section name: PAGECMRC
                Source: SetupCore.dll.98.drStatic PE information: section name: .didat
                Source: DU.dll.98.drStatic PE information: section name: .didat
                Source: DiagTrack.dll.98.drStatic PE information: section name: .didat
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703896E9 push ecx; ret 99_2_703896FC
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7038973F push ecx; ret 99_2_70389752
                Source: pidgenx.dll.98.drStatic PE information: section name: .text entropy: 6.80190192910826

                Persistence and Installation Behavior

                barindex
                Powershell uses Background Intelligent Transfer Service (BITS)
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: \KnownDlls\BitsProxy.dll
                Uses cmd line tools excessively to alter registry or file data
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\SetupMgr.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\SetupCore.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\DiagTrack.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\wimgapi.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\DU.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\wpx.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\bcd.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\unattend.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\wdscore.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\bootsvc.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\SetupHost.exeJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\ServicingCommon.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\WinDlp.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\DiagTrackRunner.exeJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\wdsutil.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\pidgenx.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\hwreqchk.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\unbcl.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\Diager.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\setupplatform.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeFile created: C:\$Windows.~WS\Sources\utcapi.dllJump to dropped file
                Source: DiagTrack.dll.98.drBinary or memory string: statenamestypeidexplicitscopedataitemstatenamesessionuploadAsHexString=wnfBufferType=wnfStateName=wnfTypeId=wnfExplicitScopeString=wnfExplicitScopeType=int8uint8int16uint16int32uint32int64uint64floatdoubleboolguidpointerfiletimesystemtimeyearmonthdowdayhourminutesecondmillisecondhexint32hexint64base\diagnosis\diagtrack\extension\lib\coreexternal\snapalwaysontraceaction.cppSnapAlwaysOnTraceAction: trace.etlbase\diagnosis\diagtrack\extension\lib\coreexternal\snaptraceaction.cppsavedtrace_.etlmergewithalwaysontracesavetolocalstoreSnapTraceAction: traceProfileHash=mergeWithAOT=saveToLocalStore=base\diagnosis\diagtrack\extension\lib\coreexternal\starttraceaction.cppmaxdurationsectracepriorityStartTraceAction: maximumDurationSec=tracePriority=base\diagnosis\diagtrack\extension\lib\coreexternal\stoptraceaction.cpptraceprofilescenarioidStopTraceAction: traceProfileScenarioId=base\diagnosis\diagtrack\extension\lib\coreexternal\toggletraceaction.cppToggleTraceAction: traceProfile=base\diagnosis\diagtrack\extension\lib\coreexternal\toggletracewithcustomfilteraction.cppcapturestateloggername | captureStateLogger=captureStateProvider=Filters: (type: (K/V: ) | Delay (ms): ; Tolerance (ms): base\diagnosis\diagtrack\extension\lib\coreexternal\delayaction.cppdelaymsrangemstolerancemsDelayAction: delayMillis=windowRangeMillis=containsWindowsRange=toleranceMillis=containsTolerance=%windir%\system32\RdrLeakDiag.exe%windir%\SysWow64\RdrLeakDiag.exePID: ; Wait Time (min): base\diagnosis\diagtrack\extension\lib\coreexternal\radaraction.cpp -p -wait waittimeminRADARAction: processId = waitTimeMin = %windir%\system32\bcdedit.exe%windir%\system32\disksnapshot.exe%windir%\system32\dispdiag.exe%windir%\system32\dxdiag.exe%programfiles%\internet explorer\iediagcmd.exe%windir%\system32\ipconfig.exe%windir%\system32\licensingdiag.exe%windir%\system32\logman.exe%windir%\system32\msinfo32.exe%windir%\system32\netsh.exe%windir%\system32\powercfg.exe%windir%\system32\route.exe%windir%\system32\settingsynchost.exe%windir%\system32\tracelog.exe%windir%\system32\wevtutil.exe%windir%\system32\whoami.exe%windir%\system32\wscollect.exerunexewithargs_output.txt&&/enum all-out/x/t/q/collect/out/all-report-log^update .* -fd -ets$/report/nfodumpwlan show dwlan show Iwlan show wlanreport^wfp show netevents -$^wfp show filters -$^wfp show state -$ras diagnostics set rastracing * enabledras diagnostics set rastracing * disabled^.*add.*$^.*exec.*$/qh/sleepstudy/batteryreport/srumutil-LoadAndRunDiagScript "%temp%\RoamDiagLogs"-flushexport-logepl^["]?%temp%["]?\\.+[.]cab["]?$^["]?%temp%["]?\\.*[..|\\].*[.]cab["]?$RunExeWithArgsAction: Failed to create output filebase\diagnosis\diagtrack\extension\lib\coreexternal\runexewithargsaction.cppRunExeWithArgsAction: CreateProcess failedRunExeWithArgsAction was cancelled and the exe was terminated. The service is shutting down.RunExeWithArgsAction was cancelled and the exe was terminated. The executable took too long.exenamecommandlinemaximumruntimemsRun
                Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setuperr.log
                Source: C:\$Windows.~WS\Sources\SetupHost.exeFile created: C:\$Windows.~WS\Sources\Panther\setupact.log

                Hooking and other Techniques for Hiding and Protection

                barindex
                Self deletion via cmd or bat file
                Source: C:\Windows\System32\Robocopy.exeFile created: C:\ESD\MediaCreationTool.batJump to dropped file
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\Robocopy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\Robocopy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9530Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 359Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1399
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8437
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1985
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7550
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2056
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6979
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2957
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1620
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1314
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3167
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1863
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7938
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupMgr.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\SetupCore.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrack.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DU.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wpx.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\MediaSetupUIMgr.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\bcd.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\unattend.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\bootsvc.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\ServicingCommon.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\WinDlp.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\DiagTrackRunner.exeJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\wdsutil.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\pidgenx.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\hwreqchk.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\unbcl.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\Diager.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\setupplatform.dllJump to dropped file
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeDropped PE file which has not been started: C:\$Windows.~WS\Sources\utcapi.dllJump to dropped file
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_99-13044
                Source: C:\$Windows.~WS\Sources\SetupHost.exeAPI coverage: 7.6 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep count: 1399 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep count: 8437 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4124Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6456Thread sleep count: 1985 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1192Thread sleep count: 7550 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5056Thread sleep count: 2056 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep count: 6979 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4640Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep count: 2957 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056Thread sleep count: 1620 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1940Thread sleep count: 1314 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1940Thread sleep count: 3167 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3316Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1324Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep count: 1863 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep count: 7938 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -4611686018427385s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\expand.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\System32\expand.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7036EA08 FindFirstFileW,wcsncmp,_wtoi,_wtoi,FindNextFileW,GetLastError,GetLastError,WdsSetupLogMessageW,99_2_7036EA08
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_703727A0 FindFirstFileW,99_2_703727A0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70372580 GetLogicalDriveStringsW,99_2_70372580
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: bootsvc.dll.98.drBinary or memory string: api-ms-win-eventing-provider-l1-1-0.dlladvapi32.dllEventSetInformationDISMAPI.DLLDismInitializeDismOpenSessionDismGetFeatureInfoDismDeleteDismCloseSessionDismShutdownREAGENT.DLLWinRePostBCDRepairDISM_{53BFAE52-B167-4E2F-A258-0A37B57FF845}Microsoft-Hyper-V-Hypervisorversion.dllVS_VERSION_INFOVerQueryValueWGetFileVersionInfoWGetFileVersionInfoSizeW\VarFileInfo\Translation\StringFileInfo\%04x%04x\InternalNameFailed to get user token! Error code = %#xFailed to adjust token priveleges! Error code = %#xFailed to lookup privelege! Error code = %#xS-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464BfspSetSecurityDescriptor(%s) failed! Last Error = %#xFailed to get token information! Error code = %#xFailed to convert user SID! Error code = %#xConvertStringSecurityDescriptorToSecurityDescriptor failed! Error code = %#xGetSecurityDescriptorControl failed! Error code = %#xGetSecurityDescriptorOwner failed! Error code = %#xGetSecurityDescriptorGroup failed! Error code = %#xSetNamedSecurityInfo failed! Error code = %#x\KernelObjects\BcdSyncMutantBcdOpenSystemStore: Failed to acquire BCD sync mutant.Status: %xCreating store %08x.\Registry\Machine\System\CurrentControlSet\BootConfigurationDataUnable to create tempory root key. Status: %xNewStoreRootUnable to create tempory new store key. Status: %xFailed to create system store path. Status: %xFailed to get system store path. Status: %xFailed to create hive. Store: %ws Status: %xFailed to add new store from file. File: %ws Status: %xFailed to close new store. Store: %ws Status: %xFailed to adopt new store. File: %ws Status: %xFailed to open new system store. Store: %ws Status: %xFailed to create store. Status: %xNULLBcdOpenStore: Failed to acquire BCD sync Mutant. Store: %wsFlags: 0x%x Status: %xOpening store. Flags: 0x%xStore will be synchronized with firmware.Failed to open system store. Status: %xStore path: "%s"Store will be accessed with offline registry APIs.BcdOpenStore: Failed to add store from file %ws. StoreFlags: 0x%x Status: %xFailed to clear system store flag. Status: %xBcdCloseStore: Failed to acquire BCD sync mutant. Status: %xClosing store. Flags: 0x%xBcdForciblyUnloadStore: Failed to acquire BCD sync mutant. Status: %xExporting forcible unload to firmwareFailed to export unload alterations to firmware. Status: %xDescriptionExporting alterations to firmware.Failed to export alterations to firmware. Status: %xKeyNameTreatAsSystemFirmwareModifiedBCD%08dLoaded hive at BCD%08dFailed to load hive into key %ws from %s. Status: %xToo many unexplained failures. File: %s Last status: %xFailed to find a key to load store %s. Last attempted key: %wsObjectsFailed to initialize objects key for store. Store: %s StoreKey: %ws Status: %xFailed to initialize description key for store. Store: %s StoreKey: %ws Status: %xA valid store must have a description key.Failed to open description key for store. Store: %s StoreKey: %ws Status: %xFailed to set description key value. Store: %s StoreKey: %ws Status: %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70386560 IsDebuggerPresent,OutputDebugStringA,99_2_70386560
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037F850 WdsSetupLogMessageW,GetLastError,memset,GetProcessHeap,HeapAlloc,wcsrchr,GetProcessHeap,HeapFree,GetCurrentThreadId,GetMinorTask,GetMajorTask,GetProcessHeap,HeapFree,WdsSetupLogDestroy,ExitProcess,RaiseException,SetLastError,99_2_7037F850
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037E5E0 WdsSetupLogInit,memset,memset,memset,memset,memset,memset,memset,memset,GetLastError,GetWindowsDirectoryA,WdsLogRegStockProviders,WdsLogCreate,ExpandEnvironmentStringsW,GetFileAttributesW,CreateDirectoryW,SetUnhandledExceptionFilter,GetCurrentProcessId,GetLastError,WdsSetupLogMessageW,RtlAddVectoredExceptionHandler,RtlAddVectoredExceptionHandler,99_2_7037E5E0
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70389056 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,99_2_70389056
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037F0D2 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,TlsFree,TlsGetValue,TlsFree,EnterCriticalSection,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LeaveCriticalSection,WdsLogDestroy,WdsLogUnRegStockProviders,99_2_7037F0D2
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037E290 WdsGenericSetupLogInit,GetLastError,SetUnhandledExceptionFilter,GetCurrentProcessId,WdsLogRegStockProviders,WdsLogCreate,99_2_7037E290

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell decode and execute
                Source: Yara matchFile source: MediaCreationTool.bat, type: SAMPLE
                Source: Yara matchFile source: C:\ESD\MediaCreationTool.bat, type: DROPPED
                Yara detected Powershell download and execute
                Source: Yara matchFile source: MediaCreationTool.bat, type: SAMPLE
                Source: Yara matchFile source: amsi64_4216.amsi.csv, type: OTHER
                Source: Yara matchFile source: amsi64_1388.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: Robocopy.exe PID: 6920, type: MEMORYSTR
                Source: Yara matchFile source: C:\ESD\MediaCreationTool.bat, type: DROPPED
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\Users\user\Desktop\/" "C:\ESD/" "MediaCreationTool.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" setJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 437Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -R -S -H "C:\ESD" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Robocopy.exe robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /dJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:f0 " Detected Media "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 "can rename script: "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\fltMC.exe fltmcJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:6f " en-US "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:9f " Enterprise "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:2f " x64 "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\expand.exe expand.exe -R products11_23H2.cab -F:* .Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /c:\ /a:0f " Auto Upgrade "\..\c nulJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:PRODUCTS_XML\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1';iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\makecab.exe makecab products.xml products.cabJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_AutoUnattend_xml')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Dism.exe dism /cleanup-wimJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]Assisted_MCT')[1];"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /dJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /q /v:on /c echo !.:~2,1!Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ESD\MCT\MediaCreationTool11_23H2.exe "C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web /Eula Accept /Selfhost "/Action" "CreateMedia" "/MediaLangCode" "en-US" "/MediaEdition" "Enterprise" "/MediaArch" "x64" "/Pkey" "Defer" "/Compat" "IgnoreWarning" "/MigrateDrivers" "All" "/ResizeRecoveryPartition" "Disable" "/ShowOOBE" "None" "/Telemetry" "Disable" "/CompactOS" "Disable" "/DynamicUpdate" "Disable" "/SkipSummary"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ESD\MCT\MediaCreationTool11_23H2.exe "c:\esd\mct\mediacreationtool11_23h2.exe" /selfhost /action createmedia /medialangcode en-us /mediaedition enterprise /mediaarch x64 /pkey defer /compat ignorewarning /migratedrivers all /resizerecoverypartition disable /showoobe none /telemetry disable /compactos disable /dynamicupdate disable /skipsummary /eula accept
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "c:\$windows.~ws\sources\setuphost.exe" /download /web /eula accept /selfhost "/action" "createmedia" "/medialangcode" "en-us" "/mediaedition" "enterprise" "/mediaarch" "x64" "/pkey" "defer" "/compat" "ignorewarning" "/migratedrivers" "all" "/resizerecoverypartition" "disable" "/showoobe" "none" "/telemetry" "disable" "/compactos" "disable" "/dynamicupdate" "disable" "/skipsummary"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ESD\MCT\MediaCreationTool11_23H2.exe "c:\esd\mct\mediacreationtool11_23h2.exe" /selfhost /action createmedia /medialangcode en-us /mediaedition enterprise /mediaarch x64 /pkey defer /compat ignorewarning /migratedrivers all /resizerecoverypartition disable /showoobe none /telemetry disable /compactos disable /dynamicupdate disable /skipsummary /eula accept
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeProcess created: C:\$Windows.~WS\Sources\SetupHost.exe "c:\$windows.~ws\sources\setuphost.exe" /download /web /eula accept /selfhost "/action" "createmedia" "/medialangcode" "en-us" "/mediaedition" "enterprise" "/mediaarch" "x64" "/pkey" "defer" "/compat" "ignorewarning" "/migratedrivers" "all" "/resizerecoverypartition" "disable" "/showoobe" "none" "/telemetry" "disable" "/compactos" "disable" "/dynamicupdate" "disable" "/skipsummary"
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70384474 InitializeSecurityDescriptor,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLengthSid,GetLengthSid,GetLengthSid,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,EqualSid,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetProcessHeap,HeapFree,99_2_70384474
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037D33C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,99_2_7037D33C
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: GetLocaleInfoW,99_2_70372C80
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\Robocopy.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitsTransfer\Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\System32\Dism.exeQueries volume information: C:\Windows\Logs\DISM\dism.log VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClient\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationClient.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeQueries volume information: C:\$Windows.~WS\Sources VolumeInformation
                Source: C:\ESD\MCT\MediaCreationTool11_23H2.exeQueries volume information: C:\$Windows.~WS VolumeInformation
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_7037F35C GetLocalTime,SystemTimeToVariantTime,99_2_7037F35C
                Source: C:\$Windows.~WS\Sources\SetupHost.exeCode function: 99_2_70384E42 GetVersion,GetModuleHandleW,GetProcAddress,memset,ExpandEnvironmentStringsW,LoadLibraryExW,FreeLibrary,GetProcAddress,99_2_70384E42
                Source: C:\Windows\System32\expand.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts11
                Command and Scripting Interpreter                		1
                BITS Jobs                		11
                Process Injection                		11
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                Scripting                		1
                DLL Side-Loading                		1
                Modify Registry                		LSASS Memory21
                Security Software Discovery                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Bootkit                		Logon Script (Windows)21
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                DLL Side-Loading                		Login Hook1
                BITS Jobs                		NTDS21
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Process Injection                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Deobfuscate/Decode Files or Information                		Cached Domain Credentials3
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSync26
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Bootkit                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Software Packing                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Timestomp                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                DLL Side-Loading                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                File Deletion                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431721 Sample: MediaCreationTool.bat Startdate: 25/04/2024 Architecture: WINDOWS Score: 72 58 Yara detected Powershell download and execute 2->58 60 Yara detected Powershell decode and execute 2->60 62 Sigma detected: PowerShell Base64 Encoded IEX Cmdlet 2->62 9 cmd.exe 2 2->9         started        process3 signatures4 68 Uses cmd line tools excessively to alter registry or file data 9->68 12 cmd.exe 7 9->12         started        15 Robocopy.exe 3 3 9->15         started        18 conhost.exe 9->18         started        20 28 other processes 9->20 process5 file6 70 Uses cmd line tools excessively to alter registry or file data 12->70 22 powershell.exe 12->22         started        24 cmd.exe 1 12->24         started        27 cmd.exe 1 12->27         started        29 41 other processes 12->29 48 C:SD\MediaCreationTool.bat, ASCII 15->48 dropped 72 Self deletion via cmd or bat file 15->72 signatures7 process8 signatures9 31 MediaCreationTool11_23H2.exe 22->31         started        64 Uses cmd line tools excessively to alter registry or file data 24->64 34 reg.exe 1 24->34         started        36 reg.exe 1 27->36         started        66 Powershell uses Background Intelligent Transfer Service (BITS) 29->66 38 powershell.exe 8 29->38         started        40 cmd.exe 1 29->40         started        42 reg.exe 1 29->42         started        44 5 other processes 29->44 process10 file11 50 C:\$Windows.~WS\Sources\wpx.dll, PE32 31->50 dropped 52 C:\$Windows.~WS\Sources\wimgapi.dll, PE32 31->52 dropped 54 C:\$Windows.~WS\Sources\wdsutil.dll, PE32 31->54 dropped 56 19 other files (none is malicious) 31->56 dropped 46 SetupHost.exe 31->46         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                No Antivirus matches

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\$Windows.~WS\Sources\DU.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\DU.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\DiagTrack.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\DiagTrack.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\DiagTrackRunner.exe0%ReversingLabs
                C:\$Windows.~WS\Sources\DiagTrackRunner.exe0%VirustotalBrowse
                C:\$Windows.~WS\Sources\Diager.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\Diager.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\ServicingCommon.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\ServicingCommon.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\SetupCore.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\SetupCore.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\SetupHost.exe0%ReversingLabs
                C:\$Windows.~WS\Sources\SetupHost.exe0%VirustotalBrowse
                C:\$Windows.~WS\Sources\SetupMgr.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\SetupMgr.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\WinDlp.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\WinDlp.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\bcd.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\bcd.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\bootsvc.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\bootsvc.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\hwreqchk.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\hwreqchk.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\pidgenx.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\pidgenx.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\setupplatform.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\setupplatform.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\unattend.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\unattend.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\unbcl.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\unbcl.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\utcapi.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\utcapi.dll0%VirustotalBrowse
                C:\$Windows.~WS\Sources\wdscore.dll0%ReversingLabs
                C:\$Windows.~WS\Sources\wdscore.dll0%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://download.microsoft.0%Avira URL Cloudsafe
                https://download.microsoft.0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://aka.ms/windowsserverupgradeaMediaSetupUIMgr.dll.98.drfalse
                  		high
                  https://aka.ms/windowsserverupgradeMediaSetupUIMgr.dll.98.drfalse
                    		high
                    https://aka.ms/azurestackhciupgrade.MediaSetupUIMgr.dll.98.drfalse
                      		high
                      https://aka.ms/windowsserverupgradeyMediaSetupUIMgr.dll.98.drfalse
                        		high
                        https://aka.ms/windowsserverupgradezMediaSetupUIMgr.dll.98.drfalse
                          		high
                          https://aka.ms/windowsserverupgradeuSorryMediaSetupUIMgr.dll.98.drfalse
                            		high
                            https://aka.ms/windowsserverupgrade7MediaSetupUIMgr.dll.98.drfalse
                              		high
                              https://aka.ms/windowsserverupgradejErMediaSetupUIMgr.dll.98.drfalse
                                		high
                                https://aka.ms/windowsserverupgradeoDetMediaSetupUIMgr.dll.98.drfalse
                                  		high
                                  https://aka.ms/windowsserverupgrade5MediaSetupUIMgr.dll.98.drfalse
                                    		high
                                    https://aka.ms/azurestackhciupgrade(InstalacijskiMediaSetupUIMgr.dll.98.drfalse
                                      		high
                                      https://aka.ms/azurestackhciupgrade#MediaSetupUIMgr.dll.98.drfalse
                                        		high
                                        https://aka.ms/windowsserverupgradewViMediaSetupUIMgr.dll.98.drfalse
                                          		high
                                          https://download.microsoft.MediaCreationTool11_23H2.exe, 00000062.00000002.2474844921.0000000002E40000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://aka.ms/azurestackhciupgradeMediaSetupUIMgr.dll.98.drfalse
                                            		high
                                            https://aka.ms/azurestackhciupgrade)MediaSetupUIMgr.dll.98.drfalse
                                              		high
                                              https://aka.ms/windowsserverupgrade.MediaSetupUIMgr.dll.98.drfalse
                                                		high

                                                World Map of Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox version:40.0.0 Tourmaline
                                                Analysis ID:1431721
                                                Start date and time:2024-04-25 17:09:42 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 8m 54s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:102
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:MediaCreationTool.bat
                                                Detection:MAL
                                                Classification:mal72.evad.winBAT@170/119@0/0
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 27
                                                • Number of non-executed functions: 139
                                                Cookbook Comments:
                                                • Found application associated with file extension: .bat

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, download.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:10:16API Interceptor159x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\$Windows.~WS\Sources\DiagTrackRunner.exe7bYDInO.rtfGet hashmaliciousUnknownBrowse
                                                  C:\$Windows.~WS\Sources\DiagTrack.dll7bYDInO.rtfGet hashmaliciousUnknownBrowse

                                                    Created / dropped Files

                                                    C:\$Windows.~WS\Sources\DU.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):140776
                                                    Entropy (8bit):6.470930895253555
                                                    Encrypted:false
                                                    SSDEEP:3072:Z+t9Dp526Dnei2X2Mk1p/wQwJV9Z0nAEk1u9U:Zsp52qneN2hxA1
                                                    MD5:80DEEC894B24CC7B8E75F9D7E0AFE08C
                                                    SHA1:B89A1AE45A0E51D0CA160B7481714900688611D4
                                                    SHA-256:013EFB53DE6870E86D45249B2EAAB202035F719A5C920E1DDC4D6935942ECE78
                                                    SHA-512:991B8C1FC87EEA662F3B6161F70D256FF2ED5BB97AC3315ADD0F165E9119F709B7C54F7DBDE4396339080AC0745CAEC26C989FE9FC6B40795A9E5A98DD398193
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w..$..$..$...%..$...%..$..$..$...%..$...%..$...%..$...%..$..t$..$...%..$Rich..$................PE..L...6..o...........!.........F......`........................................@............@A........................0.......$............................%... ..8......T...............................@.......................@....................text............................... ..`.data...............................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..8.... ... ..................@..B................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\DiagTrack.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):922976
                                                    Entropy (8bit):6.46965241570797
                                                    Encrypted:false
                                                    SSDEEP:12288:Er+9jUr2TTWLQRPwMRlf+8Kh+fx6gmkwJKdMrtUIHkaMNUEP3g5Qy1Jxb3ArS:A+9jUr2TTr5LlfcwwggUhnNzg5Rbwr
                                                    MD5:6C3F6A6BC5EDE978E9DFE1ACCE386339
                                                    SHA1:3B7B51D762C593E92123F9365A896ED64EE26A7A
                                                    SHA-256:B55D66F2943F1C63EA9B39DAE88AA2A4F91775CEFFFEFD263BD302866A7BD91C
                                                    SHA-512:3F87064354A0F55F36AA272C5918D208B8A77FFFB7965E9B50727C06FD8D8DB5E6695636A7DB37926FE444C91E4A4A7DC892EF5EF57676BA9515216D5E5F94FF
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Joe Sandbox View:
                                                    • Filename: 7bYDInO.rtf, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b...&..&..&..J..*..&....J.....J..(..J..(..J..'..J.....J..'..J..'..Rich&..........................PE..L.....2V...........-.........d...............................................P......D.....@A........................ ...]...`...@.......p...............`!..........N..8...........................HO..@...............\.......@....................text...}........................... ..`.data...............................@....idata...&.......(..................@..@.didat.. ...........................@....rsrc...p...........................@..@.reloc..............`..............@..B........................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\DiagTrackRunner.exe

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):79040
                                                    Entropy (8bit):5.68085764397868
                                                    Encrypted:false
                                                    SSDEEP:1536:ctlKhKIqVXrOLgef8j1D8KxLQgSSQlsJkGAsC:SlYKrOMso1D8KxLQgSdKJMsC
                                                    MD5:76F30A1E149792D2542A253B920CBEF6
                                                    SHA1:9040E0873DF5CC2A64B850D1B8159B77528BA62C
                                                    SHA-256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
                                                    SHA-512:EC39861A3F39F88AAD52975974C988AE76376A09136D95F5D4FEDD60EE7EC252736D882CEF77298D82D786E0DAD13C61148B29D7C5FB7BA7D7C74B05DE9D7E84
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Joe Sandbox View:
                                                    • Filename: 7bYDInO.rtf, Detection: malicious, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S....-%.P....-&.F....-'.U....-;.X...S........-#.R....-9.R....-$.R...RichS...................PE..L...Y.2V.................V...........U.......p....@..........................0......M.....@.................................,...x........................<... .......#..8............................$..@...............(............................text...0U.......V.................. ..`.data........p.......Z..............@....idata...............\..............@..@.rsrc................d..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\Diager.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):59864
                                                    Entropy (8bit):6.435767828042582
                                                    Encrypted:false
                                                    SSDEEP:1536:yFWI5Vp0CB5HCzVxTk9L7sDqFcB3H68GsP3zcx:ypDTHoVx87sDqFcB3aKv4x
                                                    MD5:7C249C3655A8502DB93BF9AF3FD7850D
                                                    SHA1:167A06523C459E7EC486C6B3A4C6E5BE7FADFF12
                                                    SHA-256:6CD35C7DBC27635DACFDDB091F4B38ABEC7E1C174C586022CB2D05460998AA98
                                                    SHA-512:AA645D2C304D7305ACFF2FB54275B6EA2D8F9B652CB464666DE510FB083CA786FC563CCC25C4CDE1962A65007DB08E40B19F5CC172FFA8E53AA909F9E7190754
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3|S.w.=.w.=.w.=.<e>.u.=.<e9.x.=.w.<...=.<e<.x.=.<e8.r.=.<e=.v.=.<e5.}.=.<e..v.=.<e?.v.=.Richw.=.........................PE..L......)...........!.........*.......................................................G....@A............................................................%...........'..T...............................@......................@....................text............................... ..`.data...@...........................@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2988008
                                                    Entropy (8bit):5.5415391564949115
                                                    Encrypted:false
                                                    SSDEEP:24576:tUKvn7e7uVCLk1B2x8UTJID0PGKFtV4mnFS5D:tVfy7uVCL2sxjPvFt+mnFKD
                                                    MD5:7D4FE1129669F50F96AA8C499885A0C5
                                                    SHA1:5CF04D7B3BF36C631185B2CB595D04FB83EDD06E
                                                    SHA-256:F9A97E62011D8130CC2A2285BACBAD57B64C08851B8C88D70DD24377943B76A1
                                                    SHA-512:6853B2FCF2DB5EE7411D7BC24A793F1B17ED9CCBF2A550F0352CF7C8B290840657A30A43F24CFCB42E42792E1B1466092CE54D9368AE79D5851A211A14CC2C8D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........uO..............................................j...........................................Rich....................PE..L..................!.....~....&.....PL........................................-...........@A........................0...X.......h........'&..........r-..%...@-. {..\...T...................8t......xs..@............................................text....}.......~.................. ..`.data...`M.......&..................@....idata...$.......&..................@..@.rsrc....0&......(&.................@..@.reloc.. {...@-..|....,.............@..B................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\Panther\diagerr.xml

                                                    Download File
                                                    Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.329031497158885
                                                    Encrypted:false
                                                    SSDEEP:24:5I5aVbJDP+tUI0X3AN0/1Cvf/g3vvQ/1Cv8Gh/1Cvze/g3vO/1CvVL/1CvR/g3v5:5MwiGI0P4GsfT/7
                                                    MD5:160AFBF357021800E44A44BF1E20141D
                                                    SHA1:BBAFC342200C18AAA980E8CE645CC0E66D45BD90
                                                    SHA-256:D9E71373C5470FA5597DD4E7627F6946F9817410FB482A2D34DD162F82222668
                                                    SHA-512:C24DC469CD9D792D03A50D91DCD40D947419DA1CA5B452DB5BD83CBD294DDB9DA16C21387AEC8C159E51F32ACCC4839BE43DFBA9DF99DBA738443857ECDAD850
                                                    Malicious:false
                                                    Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                    C:\$Windows.~WS\Sources\Panther\diagwrn.xml

                                                    Download File
                                                    Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.329031497158885
                                                    Encrypted:false
                                                    SSDEEP:24:5I5aVbJDP+tUI0X3AN0/1Cvf/g3vvQ/1Cv8Gh/1Cvze/g3vO/1CvVL/1CvR/g3v5:5MwiGI0P4GsfT/7
                                                    MD5:160AFBF357021800E44A44BF1E20141D
                                                    SHA1:BBAFC342200C18AAA980E8CE645CC0E66D45BD90
                                                    SHA-256:D9E71373C5470FA5597DD4E7627F6946F9817410FB482A2D34DD162F82222668
                                                    SHA-512:C24DC469CD9D792D03A50D91DCD40D947419DA1CA5B452DB5BD83CBD294DDB9DA16C21387AEC8C159E51F32ACCC4839BE43DFBA9DF99DBA738443857ECDAD850
                                                    Malicious:false
                                                    Preview:.<xml xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882". xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882". xmlns:rs="urn:schemas-microsoft-com:rowset". xmlns:z="#RowsetSchema">.<s:Schema id="RowsetSchema">.<s:ElementType name="row" content="eltOnly" rs:updatable="true">.<s:AttributeType name="Cls" rs:number="0">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Sev" rs:number="1">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Maj" rs:number="2">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Min" rs:number="3">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="LN" rs:number="4">.<s:datatype dt:type="int"/>.</s:AttributeType>.<s:AttributeType name="Fil" rs:number="5">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Fun" rs:number="6">.<s:datatype dt:type="string"/>.</s:AttributeType>.<s:AttributeType name="Uid" rs:number="7">.<s:datatype dt:type="int"/>.</s:At

                                                    C:\$Windows.~WS\Sources\Panther\setupact.log

                                                    Download File
                                                    Process:C:\$Windows.~WS\Sources\SetupHost.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):0.41393142902579133
                                                    Encrypted:false
                                                    SSDEEP:48:yqSm05/q9cmdH1IRmZ2T2jsbgn4kKgwNrMym:Gm05/q9cUD2ajsbg4kKx
                                                    MD5:90EDAE2DA94516037B76D5AED0BD83A0
                                                    SHA1:A3495E18070BD0CC0395E97CF992EA0717C945D9
                                                    SHA-256:173C8FCFA3E235E5B3521D7BB86D8CAD2B608AA9029B9A6D9ACE015C10C78347
                                                    SHA-512:267978D03983518A32DBC21AFCC189F5EA74A4977C2EA0C75B9AA5BD342AF1C6028E2CE3FA27D0354AAA831219AF2BB50FEBE4FD5577B3A1089331DB9E749DC9
                                                    Malicious:false
                                                    Preview:.2024-04-25 17:10:58, Info MOUPG *************** SetupHost Logging Begin ***************..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: ModulePath = [C:\$Windows.~WS\Sources]..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: WorkingPath = [C:\$Windows.~WS\Sources]..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: LoggingPath = [C:\$Windows.~WS\Sources\Panther]..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: MediaPath = []..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: InstallFilePath = []..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: ActionListFilePath = []..2024-04-25 17:10:58, Info MOUPG SetupHost::Initialize: CmdLine = [/Download /Web /Eula Accept /

                                                    C:\$Windows.~WS\Sources\ServicingCommon.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):800696
                                                    Entropy (8bit):6.822883246784218
                                                    Encrypted:false
                                                    SSDEEP:12288:BdgYCOY+/7r9G437TMNiciv8DuJeyd7UvP4JHjX:IYCS/H9G0ENihUcd7UvP4JDX
                                                    MD5:62B2A429451A7D4CCD915294906ECBB6
                                                    SHA1:65092DCE10872D19048686669661E8D13BADE68A
                                                    SHA-256:33E582216F01C25B9599CF320A8C4F562978F2F84F43BB1918B0BD2FBC004E6B
                                                    SHA-512:29A44DB78E466F1259213EBD6D06AEDB297E757738DD125436CA2B76694FFAE824C0C031540EE3AF2BC040BD48B1C94238991594321A28A139A5A6CE990CDBF9
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v...%...%...%)..$...%)..$...%...$...%.N%...%...%N..%...$...%...$...%...$...%...$B..%...$...%.."%...%...$...%Rich...%........................PE..L....J.e.........."!.....<..........p........P...............................@......H.....@A........................@...$... s..<........'...............A......Xj...=..T....................B..........@............p......$).......................text...d;.......<.................. ..`.data........P.......@..............@....idata.......p.......J..............@..@.didat...............`..............@....rsrc....'.......(...b..............@..@.reloc..Xj.......l..................@..B................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\SetupCore.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):2259928
                                                    Entropy (8bit):5.947140279533104
                                                    Encrypted:false
                                                    SSDEEP:24576:p4+8IBZtEoNMcbm0Lml6d8m1woYqni3gUD3/s1+qDRFmsCdEmNtTRMybl1o+1q9T:S+/3NjOTr+MsCdEmvRMH+I9V6O
                                                    MD5:2837188DEA00E4117B628CADC00E8AF4
                                                    SHA1:6A19D8EF8776433400F040140F0A003E03A6E81A
                                                    SHA-256:4AD921496D876A5049171461FE7479E6A336FF370838CDCEFE81D1711B8B057F
                                                    SHA-512:6C683F29D4B6431EA923C09A345C0B2576400A057C798DAE25732B07225F7627A950D32E94DDD1374169D8A3E2B4DF66875E31CD1A7F69A4CCF0A53C8BC8D85A
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..f2.f2.f2....f2.X.1.f2...1.f2...6.f2.f3.Eg2...3.f2...7.f2...2.f2...:.Sf2.....f2...0.f2.Rich.f2.................PE..L...,..p...........-.....0..."......p........@................................"......."...@A........................0>..R......|...................V"..%....!.|...H...T...................h...........@....................<..`....................text............0.................. ..`.data....b...@...F...4..............@....idata...).......*...z..............@..@.didat..$...........................@....rsrc...............................@..@.reloc..|.....!......`!.............@..B................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\SetupHost.exe

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):680408
                                                    Entropy (8bit):6.5702514190575165
                                                    Encrypted:false
                                                    SSDEEP:12288:JXO1HWjplx567JwV5y3pxO7hCoGtGChM3gVVMR7yxph1hyGLov5IE/SHrS+TWj+d:JXO1YplPwwVF0oGtGChRiR7yHa+vJYwJ
                                                    MD5:ED6DA1611D817426E4B7DE89FE458F76
                                                    SHA1:0C6F5672E2682E4D4A62F1275F39009CE0FA2801
                                                    SHA-256:0CBAB77CA7138DFE69E8A743156FF707C6D286ACB2BCE2DC544EDF9D257BEBFE
                                                    SHA-512:C007AAB0199EFB04BBA9F16EA82F2BA5A4C483F32099BA07329800EE496705886F3DA2F61530F0DE7B61A6BC555B743B42B62EA9C7093A481FD803F213E4E5A3
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.....v[..v[..v[...[..v[K.uZ..v[K.rZ..v[..w[..v[K.wZ..v[K.sZ..v[K.~Z..v[K..[..v[K.tZ..v[Rich..v[................PE..L................................................@.......................................@...... ...........................5..T....`..H............<...%...0..t]..D...T...................H...........@............0...............................text...(........................... ..`.data....8..........................@....idata...&...0...(..................@..@.rsrc...H....`......................@..@.reloc..t]...0...^..................@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\SetupMgr.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):829912
                                                    Entropy (8bit):6.604023853771328
                                                    Encrypted:false
                                                    SSDEEP:12288:cO+l6SVyVZLLQ/RIlvQb/1SxqrdKmh3hunzMoYSJItU+JlSpqotwKiYZSBeh28yy:1myvZSBa28jth4UuXiD8q6qAx2hS8MYX
                                                    MD5:B2F1226F8A7EFB3EB908754B8AAF1273
                                                    SHA1:652D2726D4D8728A7832B178E6C01236B8538AC6
                                                    SHA-256:8A954EFE3F2E080B4783955D8BCF6B435AE6E0F9154D3DE19318DF42A984C152
                                                    SHA-512:261138812761AF8C8E37E6D8DF40B1640137D1D623BF70096FBF0074F5B43515AECD303B714FD448C71BE8594DC14C37502EA240ED726E2737DA3C6A65257804
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-J..-J..-J...K..-J..J..-J...K.-J..)K.-J..,JC.-J..,K.-J..(K.-J..-K..-J..%K!.-J...J..-J../K..-JRich..-J................PE..L....".o...........-.................V....................................................@A........................`...Q....D..h....p...................%.......q...8..T...............................@............@...............................text............................... ..`.data... N..........................@....idata...!...@..."..................@..@.rsrc........p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\WinDlp.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1211864
                                                    Entropy (8bit):6.442923276141236
                                                    Encrypted:false
                                                    SSDEEP:24576:VYGqxq0gpChveWPIsl1UNpMu1mEHPwZkVpt840NDZpFvcdjQUwY:Rqxq0gpCleW8xm6PwZmtWFiTwY
                                                    MD5:55941ED1D0B679B0F92EAA81C677F3DC
                                                    SHA1:3BE5AA07E4048B4AFC1B8ECBAC334B24B454D065
                                                    SHA-256:D6497348E80B5849A595D7785A5972E0CCAFAFE0058A3142579F9A4F786D96BA
                                                    SHA-512:E6A93F84B6D1B043E479BC3E0D771F34621DDB789B0155224B4E1A94CAB65C3B88B1B2E5544F3ACB58052CCCF5820599FDB6085CB5FB02653468C1B591129724
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..3..`..`..`..!`..`.a..`C..a..`C..a..`C..a..`..`..`C..a..`C..a..`C..a..`C.M`..`C..a..`Rich..`........PE..L....N.s...........-.....D...................`............................................@A.........................Q..}...xv..@........C...........X...%......d.......T............................$..@............p..p............................text...MB.......D.................. ..`.data...@....`.......H..............@....idata..P,...p.......L..............@..@.rsrc....P.......D...z..............@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\bcd.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):114232
                                                    Entropy (8bit):6.430800481651526
                                                    Encrypted:false
                                                    SSDEEP:3072:jDJUIjahb/VBNEywYa/G3TOQ21Gb1ie+uZ:V2VBCywr/SXQG7
                                                    MD5:0E31ABEA6B79B34CE4369BC75E207EDA
                                                    SHA1:E45AD99D1BE47CB59826C58AFC584CBB17C28FA5
                                                    SHA-256:70D8C5FAA6358C03E934E02301DFD8384A484EA083DEB1E55EF20A2A11CDD67C
                                                    SHA-512:13DA79D873E6278696D5EF289EB77168E6A5B5B07099AEA0076767710072F08FF524F16B2537A856EDA723555C98E18F0DEF304EC968649265095CF3E846DBA2
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... ... ... ...)..."...k.$...k.#... ...P...k.(...k.!...k.5...k.B.!...k.!...Rich ...........................PE..L..................!.....p...".......m..............................................Rk....@A.........................u.........<.......................8*..........|d..T...............................@............................................text....o.......p.................. ..`.data................t..............@....idata..,............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\bootsvc.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):221176
                                                    Entropy (8bit):6.225763837056857
                                                    Encrypted:false
                                                    SSDEEP:3072:nbPd0upDJUEm5Tvxd8D33ZeEbdVowV+i7rVYAzeT+QS8ZmuzGJhED9CE0W9h:nbPde5T5dMeEbdGwVDrVYIe60zzGXEjB
                                                    MD5:D888A9E2A1792B2205BDAFCC4C28455C
                                                    SHA1:F9CD366467E09D62343161CD73C0B8807E06819A
                                                    SHA-256:59CB50B87921DBFA2B59C06D3256A07F09DB69FAEC34B8F0A462F0EB4E1E5D47
                                                    SHA-512:3236BDDD4E0F11E358E4F3138FCE25B7D366E2F550F9FB61A81C30606836637CBA367BE7DBE5472C301A6673BA7A328CF3809D063B65A5E579689423F4FF9E06
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`...$.zT$.zT$.zT-..T,.zTo..U%.zTo.yU'.zTo.~U*.zT$.{T+.zTo.{U-.zTo.rU..zTo.zU%.zTo..T%.zTo.xU%.zTRich$.zT........PE..L...VQF............!.........@......P........................................p......V.....@A........................@........#.......@...............2...-...P..........T...............................@............ ..x............................text...I........................... ..`.data...@...........................@....idata....... ......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\hwreqchk.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):263168
                                                    Entropy (8bit):6.63380836392319
                                                    Encrypted:false
                                                    SSDEEP:6144:B/ZPbEuA9uER3gb/RSwEUorHTtGibEfltwIaGwrCHm:B/ZPb3A9uERUSwEU6HRklt9Wf
                                                    MD5:25E483FDCF8A200CC91147CE0397C300
                                                    SHA1:16286DC5C40556E232FD37DA373F02BEA331C5D4
                                                    SHA-256:C47D6594BDD2D2A9680C9D04FFE1E6B031080750851390CDDB2BC230B107A48E
                                                    SHA-512:F469C6E1A6FA542DC852C1CC2C78E159EE8321C7D61480DBA815F1F261CB5D44C3963501751E144E36F4A23EB841C42E1060ED0E63B4D8424A33E11B4C2CAB5B
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g....................................................................Rich............................PE..L...\..............!.........z...............................................0.......!....@A............................X...............P&.......................%..(...T...........................0...@............................................text.............................. ..`.data...`...........................@....idata..>...........................@..@.rsrc...P&.......(..................@..@.reloc...%.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\pidgenx.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):886744
                                                    Entropy (8bit):6.875514313675728
                                                    Encrypted:false
                                                    SSDEEP:24576:KiALSLidAiQ79jQAID1TIh76N3qCf0Di4qMTWA:wTAiQ79A1TdN6rqMaA
                                                    MD5:4EEE7EB18A6F0E663BC7D181E1D946F3
                                                    SHA1:34A9FD01BFF15C079DCC17EE761443460EE30BF8
                                                    SHA-256:37C70EB65D2A0D14E821140B47D63CB79D2AFE073E6625BB77EECA865133F880
                                                    SHA-512:75C64136DF0F850058A63C41BBAFD9CD76EB606260A2FFF5357434B2978F0F7C2FCDABEE3511318B981273FEA8B4F39B0D994F8ED0DAE2B4E9652D7A7888B78D
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)..SH.YSH.YSH.Y.8.XRH.Y.0.XCH.YSH.Y$H.Y.0.XXH.Y.0.XRH.Y.0.XRH.Y.0.X.H.Y.0.XZH.Y.0vYRH.Y.0.XRH.YRichSH.Y................PE..L...-u............!................P...........................CS P.................\....@A........................@...s.......x....................b...%... ...w......T...................@5.......4..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc...w... ...x..................@..B................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\pkeyconfig.xrm-ms

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (65533), with no line terminators
                                                    Category:dropped
                                                    Size (bytes):601224
                                                    Entropy (8bit):5.713110855049739
                                                    Encrypted:false
                                                    SSDEEP:3072:VrthstoQ5tY4tsBl9x5H6zEASICrsLCwRf5G2rgXBQETLV+M76sudH2U2zLSahId:SeZHFKyPMAP+TwmN/KH+W4
                                                    MD5:7C1263F19375E84971D1F99F2ACCC974
                                                    SHA1:E916F3CAEF6DF79672D8FACE42537713550E4DF0
                                                    SHA-256:1C2F0C76E700F210FF8DBF62AD468F630AA8BC326893047DA680E0AD2C5A47E7
                                                    SHA-512:81172BF262BA99BEA2ED9F06CAC23A145EA40D386066CAD8C4862852D66765832FA60B0BA304F0A0CB452FA732916D17D71F09A6632983E1A2D9610B8DE01316
                                                    Malicious:false
                                                    Preview:.<?xml version="1.0" encoding="utf-8"?><rg:licenseGroup xmlns:rg="urn:mpeg:mpeg21:2003:01-REL-R-NS"><r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" licenseId="{06a4dd30-84b7-4fd2-b859-f1eddb0858f5}" xmlns:sx="urn:mpeg:mpeg21:2003:01-REL-SX-NS" xmlns:mx="urn:mpeg:mpeg21:2003:01-REL-MX-NS" xmlns:sl="http://www.microsoft.com/DRM/XrML2/SL/v2" xmlns:tm="http://www.microsoft.com/DRM/XrML2/TM/v2"><r:title>XrML 2.1 License - Product Key Configuration</r:title><r:issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.microsoft.com/xrml/lwc14n"/><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference><Transforms><Transform Algorithm="urn:mpeg:mpeg21:2003:01-REL-R-NS:licenseTransform"/><Transform Algorithm="http://www.microsoft.com/xrml/lwc14n"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>GF/+SCLmiolopqRWo4ot8kHuqKY=</DigestValue></Reference></SignedI

                                                    C:\$Windows.~WS\Sources\products.cab

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 26800 bytes, 1 file, at 0x2c +A "products.xml", number 1, 33 datablocks, 0x1 compression
                                                    Category:dropped
                                                    Size (bytes):26800
                                                    Entropy (8bit):7.969790832630451
                                                    Encrypted:false
                                                    SSDEEP:768:8APwG2rXm6i6dQvV+ERKj8bBxzoqeI8V0vKBFN:PQ26i6C9+ERW8bBbuVo6FN
                                                    MD5:7DA6A372AC5FEF296CAC1FB672E482FF
                                                    SHA1:88C45C8F6A22BEAB319AC3BFF378E0CFC66DBE9B
                                                    SHA-256:FA24F048156B5E2255DA6C412A77CA794BD6C42356BEAC51C000E52CC6C431AB
                                                    SHA-512:55851B274143197AA689445F9A4E9849E9739EB2475981921DADD793052BBFB6268BE4CF05BEEF6473FD63D424701A385BF74704F4EF04602CB0F2BA5C13FF01
                                                    Malicious:false
                                                    Preview:MSCF.....h......,...................I...!...(..........XZ. .products.xml.......CK...k.6........P...K.d.#...-ks..m/.....N..c..~..t.].2.a....?I...B.....j..OA0..Z.E..=...\Ye...A4......b..Z:{.l...~<8.J.;U9....w.....p_...U.o..k7....A$c....3.9.~.$.OO....l2..>../'.....t2....N.}.j.W.|.....b.*;....._.T.X......5...V......p...f..M......MQ..t............}]......?....1.Yf.3..t#.a.p...{.}w#&$.8I...Ma..R...DEF..k%...6.).D...ig..Z.......P.r..._.............:3.Z......t3....XT....wW..6..F..,E...I+$J..a..4.;.....\.o.6._z....._.O.1;.~.M....n..6.u....tZ].Ze.."..}Vy..VmKUs1=B.2.}=.\.xg......5._i..:_.2SEp....d..*u..#L...b.r).xA...:.5'.U,.i.d.4.s..Eq.6@;.bFM.0r.`.L..8G)...`..?...i.?..S.\=.....:.5.k.6UP..@Y..`1.f..+f...?...3p..zr...@.hmB..z.....j..,U..T..j..[..z.1 ..Z$...,..,.^........PY....W"..R7..<..Cp...TL...O...%T.k%&...2.RH.I....D.8M...w+-.V),1..&.8E:Q...*g....+.9.....vW6....[.a*p......U.....}..@...y{.`.=...:.e.3`...i.3p..z.n.:@....r.5...z.w.6...l.@.8k.......

                                                    C:\$Windows.~WS\Sources\setupplatform.cfg

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):17298
                                                    Entropy (8bit):5.606700198939237
                                                    Encrypted:false
                                                    SSDEEP:192:z6qadKxEEUz/FhbyabxSXvnQdRlbeAvcdHGjkzdHGqIeO7sfe9L7c6i19WO7hD2G:zP9UzrB1fTrc0j40qIeO7sGwvpMvoz/
                                                    MD5:C969198D5CA5D14A5A0938942EADAEFE
                                                    SHA1:813C6BFC511B10F1C2E3A970BA8AAB43DFC7B7BC
                                                    SHA-256:731074381D0449C3102E235620022D5E34DDE373840EA414B3A9E02DC404AF5B
                                                    SHA-512:A77C9A38014687D4745E14963F37EACC3F1244AF0810C4226A3A5FD0BD6D9FB0BE806977163000AA076B21A62A5C3948C3F3B3787E23FF8C20FB2B4A1CEDFF35
                                                    Malicious:false
                                                    Preview:;..; This section describes the footprint dependencies..; of various platform sections..;..[Dependencies]..Basic =..Servicing = Basic..ICB = Basic, Servicing..Migration = Basic....;..; Each element in a footprint section can be one of three things:..; - File name: this must not ending in '\'...; - Folder name: this must end in '\'...; - File pattern pattern: these can contain wild cards...; These pattern should be one of the format..; accepted by FindFirstFile()...;......[Footprint.Basic]..bcd.dll..bootsvc.dll..diager.dll..diagtrack.dll..diagtrackrunner.exe..hwreqchk.dll..reagent.admx..reagent.dll..reagent.xml..ServicingCommon.dll..setupplatform.cfg..setupplatform.dll..setupplatform.exe..unbcl.dll..utcapi.dll..wdscore.dll..wdsutil.dll..wimgapi.dll..WinSetupBoot.sys..WinSetupBoot.hiv..WinSetupMon.sys..WinSetupMon.hiv....[Footprint.Basic.Delayed]..*-*\reagent.adml..*-*\reagent.dll.mui..*-*\setupplatform.exe.mui..*-*\wdsimage.dll.mui..*-*\wimgapi.dll.mui..du.dll..ReserveManage

                                                    C:\$Windows.~WS\Sources\setupplatform.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):6990816
                                                    Entropy (8bit):6.7226638865683
                                                    Encrypted:false
                                                    SSDEEP:98304:iDmZU7CZEhQMNzqicGYxKl9l3VlJwITyu3kTcjCQvwyQEfaAhIcF5GN26+:imZG2MZRc5KdVl2ITedQvwsfWP+
                                                    MD5:0FBB2E2E050EAA40751999574422D5D9
                                                    SHA1:12CA912782727E54113F441F58452DCBA8C22666
                                                    SHA-256:D435099BD0DEAC8E59185B150E1A8912A6FECBB76CA24B1106A765046888AE21
                                                    SHA-512:F033B28A929FB9BB480888ACE17771617D75189E4FBF6CFBCB813CA1B5A4D06D6977E0C582045C54499956C708CDD77D2C87B5AAF955B37E1B3BFAEF13844C77
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{}@.?...?...?...6d..=...td-.4...?./.....td/.....td+.0...td*.%...td..>...td&.....td.>...td,.>...Rich?...................PE..L....}............-.....,[......... ,R......@[.............................. k......}k...@A.........................9[.....d.`.......a...............j..%....a......!..T...................x...........@.............`.\...P.[......................text....+[......,[................. ..`.data...`....@[..4...0[.............@....idata..N.....`......d`.............@..@.didat..L....pa.......`.............@....rsrc.........a.......`.............@..@.reloc........a.......a.............@..B........................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\unattend.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):167896
                                                    Entropy (8bit):6.67526168415914
                                                    Encrypted:false
                                                    SSDEEP:3072:GrF2NV4CfPcbpoMEGnTqUlRNWSRS2wvCfep4uc9Zh7sZhFlJHaqi3sTDXqjmVV8U:SfC3cbGzGTqUPNWSRmTp4ugZh7sdfHaA
                                                    MD5:1E624A32E83ED84F6B02E4753ACABB22
                                                    SHA1:7D1B20B3730B515F88787E5551C7BB835A9BE333
                                                    SHA-256:735735874F6CF093D98BAA95D32B7EC73E2287BB450286F0E792E57F559624DE
                                                    SHA-512:0BF39C98C9EAAB4DEB3DB2C0531851252D5DD96D9DFA18C71652D7AA6777010E1532DB3FBD13E4B683C88E56DCCA2507D31B6D2CB05568EA3840939C27E42F69
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..S_.S_.S_.Z'E.[_..'.Q_..'.^_.S_.._..'.T_..'.Q_..'.R_..'.k_..').R_..'.R_.RichS_.........................PE..L......>...........-.....F...$.......@.......`............................................@A.........................J.......q..x....................j...%...........3..T...........................X...@............p...............................text....D.......F.................. ..`.data........`.......J..............@....idata.......p.......L..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\unbcl.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):824296
                                                    Entropy (8bit):6.5923893705206265
                                                    Encrypted:false
                                                    SSDEEP:6144:Kmp5BdF9XvF9PlPjFOUdZnC322rsLEpriFDCP2+FAZkk/xFWbDmq4o0Ple8fQjL/:Kmp5vjQroFDWPIfiD47Ple8f8LcOR
                                                    MD5:90065CB75D2E73A77E3654D7642C885D
                                                    SHA1:85B2A855300AEEB4EE85557588191E369160EC21
                                                    SHA-256:1B31AF6DB22D63AB8AF2478C3E119FB1633F685D09EC3FEBCDB6F3C9AD409AE7
                                                    SHA-512:2D84CFC41A27229BC50586B9777CFA0150AD29E391C60BF9C72E3EFBE4F8DA6EC3D3C4320EA494A0ECCA2B225CABCFD34319031E44D73DD2F75323B57D629C59
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........= ..Ss..Ss..Ss...s..Ss.Pr..Ss.Wr..Ss..RsB.Ss.Rr..Ss.Vr..Ss.Sr..Ss.[r..Ss..s..Ss.Qr..SsRich..Ss........................PE..L...X.P(...........-.....d...............................................................@A........................0.......,........................n...%... ..d...p...T....................C......P...@...............$......@....................text...<c.......d.................. ..`.data....Z.......V...h..............@....idata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..d.... ......................@..B................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\utcapi.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):31720
                                                    Entropy (8bit):6.207060888991025
                                                    Encrypted:false
                                                    SSDEEP:384:FGiuBZjzqp0T7zmZA7g/twnqPIErJ2ljrcOzE39eWwcjW9MRDBRJX9NNPR9zzu:8iurzqp0nz2tw0rIqy89J31PD9z6
                                                    MD5:352463BC2A7BBB3B525137BE09225AD4
                                                    SHA1:A48EAB43644FA5AB68B69204088E2CA407A0CB9D
                                                    SHA-256:FF1D8255B97FB39F4EE88930A12C0D389038F28FFD334A0EF3BC64F58F35CDC3
                                                    SHA-512:A75B4F1FCF7A659123EA8007FF874D60F7A20841EC0CE428B310A14D0D974183A148366BC80591FF5FACAA780C64E98851ECEE25D666FFEEE1B75B63A8E155E1
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.................G.........o...G.......G.......G.......G.......G.).....G.......G.+.....G.......Rich............PE..L...!..............!.....<.......... :.......P......................................73....@A.........................H.......`..,....p...............V...%........... ..T............................................`...............................text....:.......<.................. ..`.data...@....P.......@..............@....idata.......`.......B..............@..@.rsrc........p.......L..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\wdscore.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):204776
                                                    Entropy (8bit):6.387337643998748
                                                    Encrypted:false
                                                    SSDEEP:3072:H3op87xQB/B7+fGSZhCYfgGuk9d1ecToEoFRh24ZjHi7zv2vbfIYeAzv4Abhq:H3oO7xQ/7+9C+gGfD4ZjHif+DIMv0
                                                    MD5:ADB1B2158714FCAACB86CF726F05626F
                                                    SHA1:D92E950625FD60F5A3EF47B0A348044FF92CD312
                                                    SHA-256:7CCA29A7DE3B73522DD0E46A1A3E7BC7A13433EE7DBD5F8D006651EAEEB9E1F0
                                                    SHA-512:A4FA45A0D782E89FA2C37167F0F7D11A8480B0D228A0DD0E78F93D9D05048E22166D8FA90A1B17715613A221F1F9BA26BB5839146CB7B0115928195C8E661AFC
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    • Antivirus: Virustotal, Detection: 0%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....}..}..}.e...}..e~..}..ey..}..|.n.}..e|..}..ex..}..e}..}..eu..}..e...}..e...}.Rich..}.................PE..L...j14?...........-.........L...............................................P.......p....@A........................@...........d........................%... ..X!.....T...............................@............................................text............................... ..`.data...@...........................@....idata..............................@..@.rsrc...............................@..@.reloc..X!... ..."..................@..B................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\wdsutil.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):244184
                                                    Entropy (8bit):6.521001091288403
                                                    Encrypted:false
                                                    SSDEEP:3072:e+QJCMpqmd9o0AyUhJkpU4M7VGS3UieTRZUKdJJplNzBtH7pwR9dsJdUaLVzFNsu:erqmg0AEOVGwecK/JhH1wbd8djPV
                                                    MD5:02B07C196E13AA7529BA1F8FB9513568
                                                    SHA1:DAEC09AF8098FCC16E898C9A83C98C813BC4FFAD
                                                    SHA-256:67172F24BAE550C8C060DE619AAEAC39CBF713616B1B597849759A3A34D69136
                                                    SHA-512:C6E057EF13959E2B625421FCD2F14CF0C2B2F85E140285FC1F1A1220FFCB995A089F0D4F853E4225E39B7EAF87784B517B64285D14EB3ABAD8991E66F783C3B1
                                                    Malicious:false
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A#T./pT./pT./p..,qW./p..+qE./pT..pH./p...qG./p..*q^./p../qU./p..'q}./p...pU./p..-qU./pRichT./p........PE..L.....{............-.....8...^...............P.......................................\....@A............................C>..ls...........................%.......(...a..T...............................@............p..d.......@....................text....7.......8.................. ..`.data........P.......<..............@....idata.......p.......L..............@..@.didat.. ............d..............@....rsrc................f..............@..@.reloc...(.......*...j..............@..B........................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\wimgapi.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):636888
                                                    Entropy (8bit):6.6304200266990545
                                                    Encrypted:false
                                                    SSDEEP:12288:9Ju6sry92Smt54VQCBhf/Cwyu1LYCyVRhItVsQdwkr2RkPIe99AneuzraPVj/0Q:3bs+92Sm8VQC3faI1kCyRILrj/0Q
                                                    MD5:5C7DEA67820CD1E6E78DF01A826EC255
                                                    SHA1:78EF30670DCD5B0A7C27DEB058229A2C45C94EAF
                                                    SHA-256:C71E57B83DE3537201F14647538B761E690830AB54824BD10BE5525DEA17C073
                                                    SHA-512:CB2D97A852FFB761F830364CF3C50E01F25891CA84F08C51A128AD9469748DB7710718DF4F0CF49A8C5431FB79435AAB1043C867A11A486DBC63DEE1F06D3172
                                                    Malicious:false
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.3Q.a]..a]..a]......a].@.Y..a].@.^..a]..a\.8`].@.\..a].@.X..a].@.]..a].@.U..a].@....a].@._..a].Rich.a].........PE..L...L..............-......................................................................@A................................<........ ...;...............%...`...P..<M..T...........................p...@...............4............................text............................... ..`.data...............................@....idata..............................@..@.rsrc....;... ...<..................@..@.reloc...P...`...R...@..............@..B........................................................................................................................................................................................................................................................................................................................

                                                    C:\$Windows.~WS\Sources\wpx.dll

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):1119704
                                                    Entropy (8bit):6.36630887855141
                                                    Encrypted:false
                                                    SSDEEP:12288:X8T4SDJ1EZ8hwRvFkFPDYw3oswDhYYovTy1YmpwKzMjNv8:X8FPEeh2iFLoswDhYYovaYmBzgv8
                                                    MD5:9E22A8BC852CB4BCE0DC35DD4D3A4C9F
                                                    SHA1:7102F335C55FA6BB3D1FBA8CB21264BBECA40D06
                                                    SHA-256:0317D27C82C2E6182C7084ED3BC611302E426C95DBDE556E11C54DA1A340F50C
                                                    SHA-512:2EBC1CF2060AFDB66C24F1CF2D0540874779EE3F8019DD70371AE9CB10E5D9D938BFE57C33AEF3B074D8DC4049524BE86FC9EA637065FDEA06C3919644A68631
                                                    Malicious:false
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].T.<...<...<...DS..<...D...<...D...<...<..:<...D...<...D...<...D...<...D...<...D?..<...D...<..Rich.<..........PE..L..................!.....p...........D.......................................0............@A........................P[......t............@...............%...P..T......T....................;.......;..@...............l............................text...fL.......N.................. ..`PAGE.........`... ...R.............. ..`PAGECMRCf............r.............. ..`.data... K.......H...t..............@....idata..............................@..@.rsrc....@.......B..................@..@.reloc..T....P......................@..B........................................................................................................................................................................................................................................

                                                    C:\ESD\MCT\957245e7259d42aa8fd27d116db1c7d5$dpx$.tmp\5d70065129791f44b7dcf20dffee04d3.tmp

                                                    Download File
                                                    Process:C:\Windows\System32\expand.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1766012
                                                    Entropy (8bit):5.222428963032769
                                                    Encrypted:false
                                                    SSDEEP:6144:9sw04Dh8gajddh15giNxvAdYKlJUzYx48JvMgntnVwZS5NaM9xUOtQ:i
                                                    MD5:86F60A8EF0B095DC027C50499C82516E
                                                    SHA1:87C38100F7A6B30435094720B9277D1DC7206165
                                                    SHA-256:26419867DDAC297A330DD641E59ECEC584BDF370D4A0743A88683C604D9D629E
                                                    SHA-512:1BBA31403FDC067C699942FBBA5F2B39E82E3D47A84DE907D3C820A0A8C231A794CC3539939A6CFB4298BBA83C6530E9F7947B92F8BDBB7D18D526AC40AE0CB3
                                                    Malicious:false
                                                    Preview:<MCT>.. <Catalogs>.. <Catalog version="2.0">.. <PublishedMedia id="" release="">.. <Files>.. <File id="">.. <FileName>22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>.. <LanguageCode>zh-cn</LanguageCode>.. <Language>Chinese (Simplified, China)</Language>.. <Edition>CoreCountrySpecific</Edition>.. <Architecture>x64</Architecture>.. <Size>4784809970</Size>.. <Sha1>bb1a2c7fd0ba7c02cbc34ab4795c88aebed26dd7</Sha1>.. <FilePath>http://dl.delivery.mp.microsoft.com/filestreamingservice/files/abc0d143-e34f-41d6-8d78-94ebfc46b33f/22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FilePath>.. <Key />.. <Architecture_Loc>%ARCH_64%</Architecture_Loc>.. <Edition_Loc>%BASE_CHINA%</Edition_Loc>.. <IsRetailOnly>False</IsRetailOnly>.. </File>.. <File id=

                                                    C:\ESD\MCT\AutoUnattend.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):3158
                                                    Entropy (8bit):5.281519868197971
                                                    Encrypted:false
                                                    SSDEEP:96:zTazNDowOcsakuYVrfY87YjjyJ4emOHOA2wwx:uBowwsYLKRe3uAs
                                                    MD5:D2ECA11C87124056FE37EBFCA44F82AF
                                                    SHA1:B27CC2CA57B7A42BC757EF8345EF9D87611D801F
                                                    SHA-256:9E08AA4BE5C33D34F8C139289A0C8D39E4CD67C935C97AA0E4B76B8C078EF5F1
                                                    SHA-512:3B57D4EBC011B2C4B52C70D4A7854233D9583165F8284F3ED16A1A516D1030ECFFD9E02D97A9BC32AA89CEEA7CA36B092FD2365221D5962C99377309D4FC2348
                                                    Malicious:false
                                                    Preview:<unattend xmlns="urn:schemas-microsoft-com:unattend">.. <settings pass="windowsPE"><component name="Microsoft-Windows-Setup" processorArchitecture="amd64" language="neutral".. xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. publicKeyToken="31bf3856ad364e35" versionScope="nonSxS">.. <UserData><ProductKey><Key>AAAAA-VVVVV-EEEEE-YYYYY-OOOOO</Key><WillShowUI>OnError</WillShowUI></ProductKey></UserData>.. <ComplianceCheck><DisplayReport>Never</DisplayReport></ComplianceCheck><Diagnostics><OptIn>false</OptIn></Diagnostics>.. <DynamicUpdate><Enable>true</Enable><WillShowUI>Never</WillShowUI></DynamicUpdate><EnableNetwork>true</EnableNetwork>.. </component></settings> .. <settings pass="specialize"><component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" language="neutral".. xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instanc

                                                    C:\ESD\MCT\PID.txt

                                                    Download File
                                                    Process:C:\Windows\System32\cmd.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):65
                                                    Entropy (8bit):5.171841466641623
                                                    Encrypted:false
                                                    SSDEEP:3:MVYr1+eyThXqvv+I/NgBMNZQXMWAov:mG1T4h6vP/y6N+XMWNv
                                                    MD5:0F275B99EFFC6823B9658DD9EF58AD90
                                                    SHA1:5CD07F3F4DDA791E7E207DF66E67A6C1D4799757
                                                    SHA-256:B24122590F55BA78A5999758CF7EEF602F85BB91D00FD8369D7CBE526060F52C
                                                    SHA-512:B19189CBD335A527766B9E97D4B1D069EA524904805D836D652309808B388152A10AB93CD30BD74B4B94C8D9A908A33FEA33F228F361C6360A6B364D0620A8E5
                                                    Malicious:false
                                                    Preview:[PID]..Value=NPPR9-FWDCX-D2C8J-H872K-2YT43..;Edition=Enterprise..

                                                    C:\ESD\MCT\auto.cmd

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):11078
                                                    Entropy (8bit):5.438371369269305
                                                    Encrypted:false
                                                    SSDEEP:192:fJWciQy5wpzSoXsZLlNIp+EHqd8z0PZohK9PNPE3hmOZyxrsDwlOXUJuzXv:oc3zSVfx8qI0RocXE3VZypsslOkJc/
                                                    MD5:E47E25ABB406DE287B18EF29CD8C02D7
                                                    SHA1:A84181C4780B3103D7B4F25C3F4FD05DBBC317E3
                                                    SHA-256:44AC50A3BE42CFFF363A79BB43D6CA629875B1F90F9BC786C5EDC06397BCDBCB
                                                    SHA-512:43DBE96ADD72192345A98F4155D3D489E6C05B4C790D0A08B6AF75CE9EF685E14589EC8BA8B345439155943205E71AC9552DB6AF5C9DB427E1C6743B11F26815
                                                    Malicious:false
                                                    Preview:@echo off& title Auto Upgrade || supports Ultimate / PosReady / Embedded / LTSC / Enterprise Eval..set "EDITION_SWITCH=Enterprise"..set "SKIP_11_SETUP_CHECKS=1"..set OPTIONS=/SelfHost /Auto Upgrade /MigChoice Upgrade /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept....pushd "%~dp0" & for %%w in (%1) do pushd %%w..for %%i in ("x86\" "x64\" "") do if exist "%%~isources\setupprep.exe" set "dir=%%~i"..pushd "%dir%sources" || (echo "%dir%sources" not found! script should be run from windows setup media & timeout /t 5 & exit /b)....::# start sources\setup if under winpe (when booted from media) [Shift] + [F10]: c:\auto or d:\auto or e:\auto etc...reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinPE">nul 2>nul && (.. for %%s in (sCPU sRAM sSecureBoot sStorage sTPM) do reg add HKLM\SYSTEM\Setup\LabConfig /f /v Bypas%%sCheck /d 1 /t reg_dword.. start "W

                                                    C:\ESD\MCT\latest

                                                    Download File
                                                    Process:C:\Windows\System32\cmd.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):11
                                                    Entropy (8bit):2.845350936622437
                                                    Encrypted:false
                                                    SSDEEP:3:tWUGv:kr
                                                    MD5:956FED58912DADA4B52702103A1B6477
                                                    SHA1:93D0B9A17A6C2049C3A75DD3DFDE3EF8133B6411
                                                    SHA-256:1A429B3DD4612ED8AD41623D624CE8FE1E163CB7D930000E58AFB6C9698AF03C
                                                    SHA-512:226CCF153B8BB0D5648A46CC86CE145C906C891899A699D58A62755A26840E938D8C28C8DEA81A02A554F574FEB195A3782916D7F32F41C733C2E03693388548
                                                    Malicious:false
                                                    Preview:20231129 ..

                                                    C:\ESD\MCT\products.cab

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 26800 bytes, 1 file, at 0x2c +A "products.xml", number 1, 33 datablocks, 0x1 compression
                                                    Category:modified
                                                    Size (bytes):26800
                                                    Entropy (8bit):7.969790832630451
                                                    Encrypted:false
                                                    SSDEEP:768:8APwG2rXm6i6dQvV+ERKj8bBxzoqeI8V0vKBFN:PQ26i6C9+ERW8bBbuVo6FN
                                                    MD5:7DA6A372AC5FEF296CAC1FB672E482FF
                                                    SHA1:88C45C8F6A22BEAB319AC3BFF378E0CFC66DBE9B
                                                    SHA-256:FA24F048156B5E2255DA6C412A77CA794BD6C42356BEAC51C000E52CC6C431AB
                                                    SHA-512:55851B274143197AA689445F9A4E9849E9739EB2475981921DADD793052BBFB6268BE4CF05BEEF6473FD63D424701A385BF74704F4EF04602CB0F2BA5C13FF01
                                                    Malicious:false
                                                    Preview:MSCF.....h......,...................I...!...(..........XZ. .products.xml.......CK...k.6........P...K.d.#...-ks..m/.....N..c..~..t.].2.a....?I...B.....j..OA0..Z.E..=...\Ye...A4......b..Z:{.l...~<8.J.;U9....w.....p_...U.o..k7....A$c....3.9.~.$.OO....l2..>../'.....t2....N.}.j.W.|.....b.*;....._.T.X......5...V......p...f..M......MQ..t............}]......?....1.Yf.3..t#.a.p...{.}w#&$.8I...Ma..R...DEF..k%...6.).D...ig..Z.......P.r..._.............:3.Z......t3....XT....wW..6..F..,E...I+$J..a..4.;.....\.o.6._z....._.O.1;.~.M....n..6.u....tZ].Ze.."..}Vy..VmKUs1=B.2.}=.\.xg......5._i..:_.2SEp....d..*u..#L...b.r).xA...:.5'.U,.i.d.4.s..Eq.6@;.bFM.0r.`.L..8G)...`..?...i.?..S.\=.....:.5.k.6UP..@Y..`1.f..+f...?...3p..zr...@.hmB..z.....j..,U..T..j..[..z.1 ..Z$...,..,.^........PY....W"..R7..<..Cp...TL...O...%T.k%&...2.RH.I....D.8M...w+-.V),1..&.8E:Q...*g....+.9.....vW6....[.a*p......U.....}..@...y{.`.=...:.e.3`...i.3p..z.n.:@....r.5...z.w.6...l.@.8k.......

                                                    C:\ESD\MCT\products.xml

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1050152
                                                    Entropy (8bit):5.2255670164619925
                                                    Encrypted:false
                                                    SSDEEP:3072:TOSwHrcKWL/Edh15giNxvAmcPfGDieVngshL1OVwZS5NaM9xUOHpnPl3:qdh15giNxvAmc3VwZS5NaM9xUOHpnPl3
                                                    MD5:A4690C66C3F2E2057E3C842C323EC7F8
                                                    SHA1:AE75722494533E4CBCEFE5E3514E0392D77BC1D8
                                                    SHA-256:4C430416028C3F31A394F35F5A99E8662CA5286C3468AA73BD9BDB5B6FDADEAA
                                                    SHA-512:34167431D48949890BB2345BC8895D9D6BF00BA8765246D6DD160CFBAA91347EC1711085B362BEA1779A589F7ED79723D93CDC052F798FF131B5970594FCF4A7
                                                    Malicious:false
                                                    Preview:<MCT>.. <Catalogs>.. <Catalog version="2.0">.. <PublishedMedia id="" release="">.. <Files>.. <File id="">.. <FileName>22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FileName>.. <LanguageCode>zh-cn</LanguageCode>.. <Language>Chinese (Simplified, China)</Language>.. <Edition>CoreCountrySpecific</Edition>.. <Architecture>x64</Architecture>.. <Size>4784809970</Size>.. <Sha1>bb1a2c7fd0ba7c02cbc34ab4795c88aebed26dd7</Sha1>.. <FilePath>http://dl.delivery.mp.microsoft.com/filestreamingservice/files/abc0d143-e34f-41d6-8d78-94ebfc46b33f/22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCHINA_RET_x64FRE_zh-cn.esd</FilePath>.. <Key />.. <Architecture_Loc>%ARCH_64%</Architecture_Loc>.. <Edition_Loc>%BASE_CHINA%</Edition_Loc>.. <IsRetailOnly>False</IsRetailOnly>.. </File>.. <File id=

                                                    C:\ESD\MediaCreationTool.bat

                                                    Download File
                                                    Process:C:\Windows\System32\Robocopy.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):132241
                                                    Entropy (8bit):5.654698386450324
                                                    Encrypted:false
                                                    SSDEEP:3072:QSME2DYVQ2w33dFepssMCy6nMuumU6VxjuBxpro2A+N/Lhu:QSME2DYVQV33dFmDnMuumNuDprTw
                                                    MD5:DD0DC9282EF05A1FA257ADBDD0C020D5
                                                    SHA1:4C8697CC01A50F5776CDBD2BEE3FE4FC447A892C
                                                    SHA-256:E9960D7EEDBEDCD62F96C9420D95845F4BAD4A90D491371DDBB788BA01DA1D44
                                                    SHA-512:30A01FC5DCF75050B4A1701BF6098C86CDF7CF3888AD4245A80FF1BA2D114C18A9029FC458DB3A9410DF71B14D19A55386331C8C6AA456C1C30FB6AB9616F3C6
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\ESD\MediaCreationTool.bat, Author: Joe Security
                                                    • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: C:\ESD\MediaCreationTool.bat, Author: Joe Security
                                                    Preview:@goto latest at github.com/AveYo/MediaCreationTool.bat..:Universal MCT wrapper script for all Windows 10/11 versions from 1507 to 23H2!..:: Nothing but Microsoft-hosted source links and no third-party tools; script just configures an xml and starts MCT..:: Ingenious support for business editions (Enterprise / VL) selecting language, x86, x64 or AiO inside the MCT GUI..:: Changelog: 2023.11.29 stable..:: - all issues ironed out; upgrade keeping files from Eval editions too; pickup $ISO$ dir content to add on media..:: - DU in 11: auto installs 22000.556 atm; older skip_11_checks, without Server label; Home offline local account..:: on upgrade: latest build, on offline install: 11 23H2 22631.2861 / 11 22H2 22621.1702 / 11 21H2 22000.318 / 22H2 19045.2965 / 21H2 19044.1288 / 21H1 19043.1348 / 20H2 19042.1052....::# uncomment to skip GUI dialog for MCT choice: 1507 to 11 23H2 - or rename script: "23H2 MediaCreationTool.bat"..rem set MCT=2310....::# uncomment to start auto upgrade setup dir

                                                    C:\ESD\MediaCreationTool.bat:Zone.Identifier

                                                    Download File
                                                    Process:C:\Windows\System32\Robocopy.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\ESD\latest_MCT.url

                                                    Download File
                                                    Process:C:\Windows\System32\cmd.exe
                                                    File Type:MS Windows 95 Internet shortcut text (URL=<github.com/AveYo/MediaCreationTool.bat>), ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):4.72202421965905
                                                    Encrypted:false
                                                    SSDEEP:3:HRAbABGQYmpidYKKdBmhjvLYyn:HRYFVm8NgmRV
                                                    MD5:ACCAC7A89787C165104D357395B0786C
                                                    SHA1:8B684F93B3B9AAE9962148F9F3677C7BB9FC552A
                                                    SHA-256:870B4D39E2A91AFB2061A679F4588ACE4F42617B10A6F6D7ECE20649FAF3CCED
                                                    SHA-512:11F65B648EFD17BDA428CE5B5AE09D5150E4222D1623856989B738374BFA28A5AAC8B01E834F6B3EF827337875A037CC17E2B9DB6A327A97B125DE83A3B1CB6F
                                                    Malicious:false
                                                    Preview:[InternetShortcut]..URL=github.com/AveYo/MediaCreationTool.bat..

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):11608
                                                    Entropy (8bit):4.887486353364779
                                                    Encrypted:false
                                                    SSDEEP:192:I9sm73YrKkDp5hVsm5eml89smFp5IiMDOmEN3H+OHgFqxoeRM3YrKkDVsm5emlpj:HPYmiQ0HzAFItib4Mib4WVoGIpN6KQkT
                                                    MD5:69E9F3FAAEAC92E92B26596DBA884D3B
                                                    SHA1:02A87F2EAD0B9DC6202372D370B4D58D025B7CB2
                                                    SHA-256:F2453CFAB4FB2EB61E0E4DD4BAF35E926BE43E0C8E36569A3A325E605316B321
                                                    SHA-512:BD0EEF728D260D0BD217B507DC217BB96FA0C069FA872E6D5C8805B922ED81D9F0528AC1EE775F0BC1B1BB666FCE7B170385E5AE229A55D0D4FFF2AC936524FF
                                                    Malicious:false
                                                    Preview:PSMODULECACHE..........z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-.l..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.............z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):15056
                                                    Entropy (8bit):5.5619524866683445
                                                    Encrypted:false
                                                    SSDEEP:384:5i7jrkV5U0uJZfV0Xhr7C7eXORnVdgepC+5x9LCYjr:58rWmoXhrb+RLgepCgCc
                                                    MD5:54E61EEEBDB44BCA759B497B4DEDEC8B
                                                    SHA1:11AFED182889ECE0D774B3CCA03E1162150C6F2C
                                                    SHA-256:8552BD3914391A785996954E0A8685C2E9881823CCC54218AE038A1C9CD19CE5
                                                    SHA-512:539CEC28C681E39CDAB12460F341CB015E59A173BF3A7C7255D2F4630DD67183DB431870E251F96F7DEB18D04D316369F421AA374711EDCEDE154B7ACEF93910
                                                    Malicious:false
                                                    Preview:@...e.......................<.%.......".........................H...............o..b~.D.poM...$..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.....t.......System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1duzznxq.rpp.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mag3ryf.hco.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4thky2f5.aca.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmcheoqy.3zx.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h50wnjmz.0bp.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hphjobax.5vz.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ks1w2wm5.foa.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3hzsmkt.jjl.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pc21t52w.d3e.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpki3nte.sah.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvlgg43m.u1b.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4bgauoh.fpc.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue4gdvfz.1tl.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umesbc1c.i3n.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\cab_364_2

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):26727
                                                    Entropy (8bit):7.9657531224964835
                                                    Encrypted:false
                                                    SSDEEP:768:rAxJyDG8XiuiAdQjV+f9CjYbaTz3GegeV0ajBGo:HTyuiACp+f9eYbamYVZNGo
                                                    MD5:FAFE639E25D62021A2F5E0E083FD5C68
                                                    SHA1:20120E0AC44660363DF5BF8F576E863D49289165
                                                    SHA-256:BA5E157C039BC4935F23F8DEF5997BE85E7458D7B46975926EB481729AE909ED
                                                    SHA-512:9244B2320304C48F5CC5DD43F1CB4E246C5FD21DD3E236F0C048F46B78365B23F0D61148586786CF98BC4889D5EC0E165E07CEB40DFA5612D0837B6FB48BD5F5
                                                    Malicious:false
                                                    Preview:........CK...k.6........P...K.d.#...-ks..m/.....N..c..~..t.].2.a....?I...B.....j..OA0..Z.E..=...\Ye...A4......b..Z:{.l...~<8.J.;U9....w.....p_...U.o..k7....A$c....3.9.~.$.OO....l2..>../'.....t2....N.}.j.W.|.....b.*;....._.T.X......5...V......p...f..M......MQ..t............}]......?....1.Yf.3..t#.a.p...{.}w#&$.8I...Ma..R...DEF..k%...6.).D...ig..Z.......P.r..._.............:3.Z......t3....XT....wW..6..F..,E...I+$J..a..4.;.....\.o.6._z....._.O.1;.~.M....n..6.u....tZ].Ze.."..}Vy..VmKUs1=B.2.}=.\.xg......5._i..:_.2SEp....d..*u..#L...b.r).xA...:.5'.U,.i.d.4.s..Eq.6@;.bFM.0r.`.L..8G)...`..?...i.?..S.\=.....:.5.k.6UP..@Y..`1.f..+f...?...3p..zr...@.hmB..z.....j..,U..T..j..[..z.1 ..Z$...,..,.^........PY....W"..R7..<..Cp...TL...O...%T.k%&...2.RH.I....D.8M...w+-.V),1..&.8E:Q...*g....+.9.....vW6....[.a*p......U.....}..@...y{.`.=...:.e.3`...i.3p..z.n.:@....r.5...z.w.6...l.@.8k........ep...7...Z..g......./ .Vj*U.-iA..)&)U.'.B*..OY.e......HF.1.p.X".I..^

                                                    C:\Users\user\AppData\Local\Temp\cab_364_3

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):29
                                                    Entropy (8bit):3.874211167093752
                                                    Encrypted:false
                                                    SSDEEP:3:biW+ln:mW+ln
                                                    MD5:D4B0FC50BBFF7012DE26071424CCC8E6
                                                    SHA1:3181E07D7F82EBA7BB44FC2E76232B734B7A4137
                                                    SHA-256:CC1B5E8591D59F8D073369CDAB3E74C999F98D99DCB0E45BE49CBA72243E0254
                                                    SHA-512:C0ADAF94A8A28EB2CE1FA59B740412B5AD91908743856D5A0EA0ABFE632C0917CD875A134EA72CC1C42E9B6B1DF5CD8F8C1B89F4218A5ED934E9C55C11B3DF3E
                                                    Malicious:false
                                                    Preview:(..........XZ. .products.xml.

                                                    C:\Users\user\AppData\Local\Temp\cab_364_4

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):26727
                                                    Entropy (8bit):7.970565419572441
                                                    Encrypted:false
                                                    SSDEEP:768:DAPwG2rXm6i6dQvV+ERKj8bBxzoqeI8V0vKBFN:IQ26i6C9+ERW8bBbuVo6FN
                                                    MD5:87C196110062945A01CA5BDAA2C52A68
                                                    SHA1:3D89566B9347F5499FF6A3C4444F440D1E1A1241
                                                    SHA-256:1FA61FD06F9E02DEB27759208398A0954D55DC585556D0FBB978E6A3A5C900FE
                                                    SHA-512:D883B7665F180F1B0E5B1092B5AB589ED839F8A3475937581B16CDCC62E982487B99F3CFFCF00760C1B39D7E28B8422E4CB863D409247BAAF71D7F226A1073B1
                                                    Malicious:false
                                                    Preview:......CK...k.6........P...K.d.#...-ks..m/.....N..c..~..t.].2.a....?I...B.....j..OA0..Z.E..=...\Ye...A4......b..Z:{.l...~<8.J.;U9....w.....p_...U.o..k7....A$c....3.9.~.$.OO....l2..>../'.....t2....N.}.j.W.|.....b.*;....._.T.X......5...V......p...f..M......MQ..t............}]......?....1.Yf.3..t#.a.p...{.}w#&$.8I...Ma..R...DEF..k%...6.).D...ig..Z.......P.r..._.............:3.Z......t3....XT....wW..6..F..,E...I+$J..a..4.;.....\.o.6._z....._.O.1;.~.M....n..6.u....tZ].Ze.."..}Vy..VmKUs1=B.2.}=.\.xg......5._i..:_.2SEp....d..*u..#L...b.r).xA...:.5'.U,.i.d.4.s..Eq.6@;.bFM.0r.`.L..8G)...`..?...i.?..S.\=.....:.5.k.6UP..@Y..`1.f..+f...?...3p..zr...@.hmB..z.....j..,U..T..j..[..z.1 ..Z$...,..,.^........PY....W"..R7..<..Cp...TL...O...%T.k%&...2.RH.I....D.8M...w+-.V),1..&.8E:Q...*g....+.9.....vW6....[.a*p......U.....}..@...y{.`.=...:.e.3`...i.3p..z.n.:@....r.5...z.w.6...l.@.8k........ep...7...Z..g......./ .Vj*U.-iA..)&)U.'.B*..OY.e......HF.1.p.X".I..^

                                                    C:\Users\user\AppData\Local\Temp\cab_364_5

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):29
                                                    Entropy (8bit):3.874211167093752
                                                    Encrypted:false
                                                    SSDEEP:3:biW+ln:mW+ln
                                                    MD5:D4B0FC50BBFF7012DE26071424CCC8E6
                                                    SHA1:3181E07D7F82EBA7BB44FC2E76232B734B7A4137
                                                    SHA-256:CC1B5E8591D59F8D073369CDAB3E74C999F98D99DCB0E45BE49CBA72243E0254
                                                    SHA-512:C0ADAF94A8A28EB2CE1FA59B740412B5AD91908743856D5A0EA0ABFE632C0917CD875A134EA72CC1C42E9B6B1DF5CD8F8C1B89F4218A5ED934E9C55C11B3DF3E
                                                    Malicious:false
                                                    Preview:(..........XZ. .products.xml.

                                                    C:\Users\user\AppData\Local\Temp\cab_364_6

                                                    Download File
                                                    Process:C:\Windows\System32\makecab.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):1.061278124459133
                                                    Encrypted:false
                                                    SSDEEP:3:v:v
                                                    MD5:5D7F18BD13CF8C55F46DF1604ADB5528
                                                    SHA1:1F55B4D421486E0D5F033E7E581C7B3E511DF767
                                                    SHA-256:CEF6412137A713B036CCCF2EF9DE7CB8B583FF36950962D0F7F45A813939982C
                                                    SHA-512:B54FD7D9BCF7194AAA447F0FC87764C96347545190A0FEDBC7F73CBE2CB9A6731D811EE0B4096CCE7D8335EC3E70737AF5E7C6A597BF59016742F512493D34A1
                                                    Malicious:false
                                                    Preview:....!...

                                                    C:\Users\user\AppData\Roaming\c

                                                    Download File
                                                    Process:C:\Windows\System32\cmd.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:5:5
                                                    MD5:28D397E87306B8631F3ED80D858D35F0
                                                    SHA1:08534F33C201A45017B502E90A800F1B708EBCB3
                                                    SHA-256:A9253DC8529DD214E5F22397888E78D3390DAA47593E26F68C18F97FD7A3876B
                                                    SHA-512:0A0CD116C2C57FB125FD9ADA131F6CA964587A9958A214814A623DB1821ED5CE32DAEEC4085A14E31D900A357B1E2549319B2E0CC2C8CFBAFC6A4A4AAFEBE203
                                                    Malicious:false
                                                    Preview:\

                                                    C:\Windows\Logs\DISM\dism.log

                                                    Download File
                                                    Process:C:\Windows\System32\Dism.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (389), with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):116919
                                                    Entropy (8bit):5.053624800895084
                                                    Encrypted:false
                                                    SSDEEP:768:D/MiIzZC4aAM+TRMNMh09JAhQkQLKGQUE00qUCMzmN18Pvzu8/ok6vN5wgL2PdPi:j6h0t1ELPdhE
                                                    MD5:8001D2DBCE3537CCB7877612B8BEE5F7
                                                    SHA1:BF006F93C7E329A121B7B0BBC5FEEC90928F1A2F
                                                    SHA-256:8CA623C03E8A8A756E4FB7950AA11F64D328F461365AB3C4D9D2A8611191C33B
                                                    SHA-512:4A7CCB39A9A6158803468D523DCDEC6F5633D43EE630FFE0B27B30A2931C702F71EA37967BCF61C974953E40F7FDD0BDD96F5475237307D102130EE34B20BDFF
                                                    Malicious:false
                                                    Preview:.[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..[3360] [0x8007007b] FIOReadFileIntoBuffer:(1452): The filename, directory name, or volume label syntax is incorrect...[3360] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)..[3360] [0xc142011c] WIMGetMountedImageHandle:(2906)..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Temporarily setting the scratch directory. This may be overridden by user later. - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 Scratch directory set to 'C:\Users\jones\AppData\Local\Temp\'. - CDISMManager::put_ScratchDir..2023-10-03 13:01:57, Info DISM PID=3360 TID=5780 DismCore.dll version: 6.2.19041.746 - CDISMManager::FinalConstruct..2023-10-03 13:01:57, Info DISM I

                                                    C:\Windows\Logs\DPX\setupact.log

                                                    Download File
                                                    Process:C:\Windows\System32\expand.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):345727
                                                    Entropy (8bit):4.386633621674173
                                                    Encrypted:false
                                                    SSDEEP:192:0K9KmK9KIK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK7KYK7KIK72:3
                                                    MD5:C4E990B50EA9A7801B573ADBE745C004
                                                    SHA1:407E652D75842CA51E558DB4DF8373F6BF19AF6F
                                                    SHA-256:389489BAACAB1FCC9E1BA536628BDC833D3848DC4389C3EFA7EFEB4B5E98515E
                                                    SHA-512:14DF4E955619F2443CE5CDA12905534CA81D0DBC08B194766DE0B3F7B5CF2CB3DA153ABEE1F9A54483AAC8AC8ADFF64B115C5ED2EAF5C49C2D9516B469466F53
                                                    Malicious:false
                                                    Preview:.2023-10-03 11:48:47, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:47, Info DPX CJob::Resume completed with status: 0x0..2023-10-03 11:48:47, Info DPX Ended DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Resume and Download Job..2023-10-03 11:48:49, Info DPX Started DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info DPX Ended DPX phase: Apply Deltas Provided In File..2023-10-03 11:48:49, Info

                                                    C:\Windows\Logs\MoSetup\BlueBox.log

                                                    Download File
                                                    Process:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (463), with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):2883
                                                    Entropy (8bit):5.391479948840665
                                                    Encrypted:false
                                                    SSDEEP:48:yc32YtN8Xt3yDevjrzBLt3WDPgEDeY4dH1IRmi7dH1IRmnU:yc3tWt3yiLrz9t3QJeYisptU
                                                    MD5:E47306279C4BA4D63EB386DC683C1900
                                                    SHA1:D1C78E34DFF6695DABA9E6A7E81A5710ECA2AE2F
                                                    SHA-256:869BBB8973F5067CCDB86D65EED3C5277E50D7CCEFFE9710AA4EE438BE7D7843
                                                    SHA-512:28EFCFD678C5393D13B798EC7CE0580B07323F212A1F3A4E139E3003A3C16FEDE827F8617E1E2343F02F748BED52B1BA1863EF302C69D4CE7FE56A023D271ACB
                                                    Malicious:false
                                                    Preview:.2024-04-25 17:10:56: BuildInfo: [10.0.22621.2714 (ni_release_svc_prod1.231104-1807)]..2024-04-25 17:10:56: CommandLine: ["C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept ]..2024-04-25 17:10:56: Opening Box: [C:\ESD\MCT\MediaCreationTool11_23H2.exe]..2024-04-25 17:10:56: Opening Box Result: [0x0]..2024-04-25 17:10:56: Deleting box result.....2024-04-25 17:10:56: Creating path: [C:\$Windows.~WS\Sources].....2024-04-25 17:10:56: Checking cleanup registry value.....2024-04-25 17:10:56: Cleanup value missing... assuming no cleanup...2024-04-25 17:10:56: Skipping cleanup...2024-04-25 17:10:56: Preserve working path: [No]..2024-04-25 17:10:56: Cleaning alternate storage paths.....2024-04-25 17:10:56: Cleaning MoSetup Vola

                                                    \Device\ConDrv

                                                    Download File
                                                    Process:C:\Windows\System32\findstr.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):21
                                                    Entropy (8bit):3.8442328987631913
                                                    Encrypted:false
                                                    SSDEEP:3:xoXE2en:OXE2e
                                                    MD5:0209EBCC6ED7FA92A7793286DDF8F0E9
                                                    SHA1:D1C8424411C744F952657667D0D52078F700944C
                                                    SHA-256:AD72A3F2847A49EF3647224FA4916489104D359B964B7C855FF2652E300510D1
                                                    SHA-512:75D001DFCDE68D3AA79840DFBE10F1FD234D9119A501886A8D6AD9F4DBD9B7269A12E559CFDB1175215565803C2C54D34E1A1A51F9601B446714066C04180C02
                                                    Malicious:false
                                                    Preview: Auto Upgrade \..\c:\

                                                    \Device\Null

                                                    Download File
                                                    Process:C:\Windows\System32\Dism.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):150
                                                    Entropy (8bit):4.736366902934682
                                                    Encrypted:false
                                                    SSDEEP:3:ywJocgXEPoCIKLsurauRoNLvahMUbqX4LxGT82AGN8cv:ZJocgvCIN2lqimUbqX4E8NGN8e
                                                    MD5:358C0381EDE2D17AA54D8D4FAEB25BFB
                                                    SHA1:FDC3772EEB89AB0250487D2C9B46AF1CF4597A43
                                                    SHA-256:B7474E4AE9CDB5F26172F91FCAE51BE3E542A8CAE483BD38949F36A6C1E33501
                                                    SHA-512:4C1EA8820C219586AFF5BE81AC7FB277D723DCCB5825FCA59CEAB0CC85063C55B166B81F09D462D12F52FA1AEA14BA0400D71353980D2E360EEF9F0BC52FE7E5
                                                    Malicious:false
                                                    Preview:..Deployment Image Servicing and Management tool..Version: 10.0.19041.844....Scanning drive C for stale files..The operation completed successfully...

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with CRLF line terminators
                                                    Entropy (8bit):5.654698386450324
                                                    TrID:
                                                      File name:MediaCreationTool.bat
                                                      File size:132'241 bytes
                                                      MD5:dd0dc9282ef05a1fa257adbdd0c020d5
                                                      SHA1:4c8697cc01a50f5776cdbd2bee3fe4fc447a892c
                                                      SHA256:e9960d7eedbedcd62f96c9420d95845f4bad4a90d491371ddbb788ba01da1d44
                                                      SHA512:30a01fc5dcf75050b4a1701bf6098c86cdf7cf3888ad4245a80ff1ba2d114c18a9029fc458db3a9410df71b14d19a55386331c8c6aa456c1c30fb6ab9616f3c6
                                                      SSDEEP:3072:QSME2DYVQ2w33dFepssMCy6nMuumU6VxjuBxpro2A+N/Lhu:QSME2DYVQV33dFmDnMuumNuDprTw
                                                      TLSH:DBD34A12AE01003A96F3C132CC855441FFAA565F2615FB8C758BD0CA2B7A5C591FEEF6
                                                      File Content Preview:@goto latest at github.com/AveYo/MediaCreationTool.bat..:Universal MCT wrapper script for all Windows 10/11 versions from 1507 to 23H2!..:: Nothing but Microsoft-hosted source links and no third-party tools; script just configures an xml and starts MCT..:

                                                      File Icon

                                                      Icon Hash:9686878b929a9886

                                                      Network Behavior

                                                      No network behavior found

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:1
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MediaCreationTool.bat" "
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c1080000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\chcp.com
                                                      Wow64 process (32bit):false
                                                      Commandline:chcp 437
                                                      Imagebase:0x7ff738e90000
                                                      File size:14'848 bytes
                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:17:10:09
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:17:10:10
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\attrib.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:attrib -R -S -H "C:\ESD"
                                                      Imagebase:0x7ff715ac0000
                                                      File size:23'040 bytes
                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\Robocopy.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:robocopy "C:\Users\user\Desktop\/" "C:\ESD/" "MediaCreationTool.bat"
                                                      Imagebase:0x7ff684c30000
                                                      File size:172'032 bytes
                                                      MD5 hash:A4044E84AA1B75389DAA08398D90DFFD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:cmd /d /x /c set "ROOT=C:\Users\user\Desktop" & call "C:\ESD\MediaCreationTool.bat" set
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:34
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7c1080000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:35
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\chcp.com
                                                      Wow64 process (32bit):false
                                                      Commandline:chcp 437
                                                      Imagebase:0x7ff738e90000
                                                      File size:14'848 bytes
                                                      MD5 hash:33395C4732A49065EA72590B14B64F32
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\attrib.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:attrib -R -S -H "C:\ESD"
                                                      Imagebase:0x7ff715ac0000
                                                      File size:23'040 bytes
                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\Robocopy.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"
                                                      Imagebase:0x7ff684c30000
                                                      File size:172'032 bytes
                                                      MD5 hash:A4044E84AA1B75389DAA08398D90DFFD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:17:10:11
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:cmd /d
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:41
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:42
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:43
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:44
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:45
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:46
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:47
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:48
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:49
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:50
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\reg.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"
                                                      Imagebase:0x7ff7406d0000
                                                      File size:77'312 bytes
                                                      MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:51
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:52
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:cmd /q /v:on /c echo !.:~2,1!
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:53
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:54
                                                      Start time:17:10:12
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:cmd /q /v:on /c echo !.:~2,1!
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:55
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:f0 " Detected Media "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:56
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:6f " en-US "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:57
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:9f " Enterprise "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:58
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:2f " x64 "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:59
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:60
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:61
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:62
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:63
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:64
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:65
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:17 "can rename script: "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:66
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:67
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:68
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                      Imagebase:0x7ff796360000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:69
                                                      Start time:17:10:13
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:78
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\fltMC.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:fltmc
                                                      Imagebase:0x7ff654b00000
                                                      File size:31'232 bytes
                                                      MD5 hash:6AB08CADCE7DF971A043DCD1257D7374
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:79
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\attrib.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:attrib -R -S -H "C:\ESD" /D
                                                      Imagebase:0x7ff715ac0000
                                                      File size:23'040 bytes
                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:80
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:f0 " Windows 11 Version "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:81
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:5f " 23H2 "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:82
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:f1 " 22631.2861.231204-0538.23H2_ni_release_svc_refresh "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:83
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:6f " en-US "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:84
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:9f " Enterprise "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:85
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:2f " x64 "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:86
                                                      Start time:17:10:40
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:89
                                                      Start time:17:10:46
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:90
                                                      Start time:17:10:49
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\expand.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:expand.exe -R products11_23H2.cab -F:* .
                                                      Imagebase:0x7ff78d990000
                                                      File size:67'584 bytes
                                                      MD5 hash:3080AD9250254478269B486EC15C25FF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:91
                                                      Start time:17:10:49
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\findstr.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:findstr /c:\ /a:0f " Auto Upgrade "\..\c nul
                                                      Imagebase:0x7ff658530000
                                                      File size:36'352 bytes
                                                      MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:92
                                                      Start time:17:10:49
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:PRODUCTS_XML\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1';iex($0+$1)"
                                                      Imagebase:0x7ff701350000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:93
                                                      Start time:17:10:51
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\makecab.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:makecab products.xml products.cab
                                                      Imagebase:0x7ff642b90000
                                                      File size:86'528 bytes
                                                      MD5 hash:FF47E32B1B45D1DE2ECC39107B365563
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:94
                                                      Start time:17:10:51
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_auto_cmd')[1];"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:95
                                                      Start time:17:10:52
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]generate_AutoUnattend_xml')[1];"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:96
                                                      Start time:17:10:54
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\Dism.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:dism /cleanup-wim
                                                      Imagebase:0x7ff612a70000
                                                      File size:288'048 bytes
                                                      MD5 hash:EBCC4E59DE824F22C090F20168FB5EAE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:97
                                                      Start time:17:10:54
                                                      Start date:25/04/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:powershell -nop -c "iex ([io.file]::ReadAllText($env:0) -split '[:]Assisted_MCT')[1];"
                                                      Imagebase:0x7ff6e9960000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:98
                                                      Start time:17:10:56
                                                      Start date:25/04/2024
                                                      Path:C:\ESD\MCT\MediaCreationTool11_23H2.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\ESD\MCT\MediaCreationTool11_23H2.exe" /SelfHost /Action CreateMedia /MediaLangCode en-US /MediaEdition Enterprise /MediaArch x64 /Pkey Defer /Compat IgnoreWarning /MigrateDrivers All /ResizeRecoveryPartition Disable /ShowOOBE None /Telemetry Disable /CompactOS Disable /DynamicUpdate Disable /SkipSummary /Eula Accept
                                                      Imagebase:0x3b0000
                                                      File size:10'109'376 bytes
                                                      MD5 hash:25C9285C00EF7D41B28823A053A9A372
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      General

                                                      Target ID:99
                                                      Start time:17:10:58
                                                      Start date:25/04/2024
                                                      Path:C:\$Windows.~WS\Sources\SetupHost.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web /Eula Accept /Selfhost "/Action" "CreateMedia" "/MediaLangCode" "en-US" "/MediaEdition" "Enterprise" "/MediaArch" "x64" "/Pkey" "Defer" "/Compat" "IgnoreWarning" "/MigrateDrivers" "All" "/ResizeRecoveryPartition" "Disable" "/ShowOOBE" "None" "/Telemetry" "Disable" "/CompactOS" "Disable" "/DynamicUpdate" "Disable" "/SkipSummary"
                                                      Imagebase:0x400000
                                                      File size:680'408 bytes
                                                      MD5 hash:ED6DA1611D817426E4B7DE89FE458F76
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 0%, ReversingLabs
                                                      • Detection: 0%, Virustotal, Browse
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:5.8%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:21.1%
                                                        Total number of Nodes:711
                                                        Total number of Limit Nodes:25
                                                        execution_graph 12762 7036ef40 12775 703896a4 12762->12775 12764 7036ef4c EnterCriticalSection 12765 7036ef78 12764->12765 12768 7036f00a WdsSetupLogInit 12765->12768 12769 7036effa WdsSetupLogInit 12765->12769 12774 7036ef83 12765->12774 12767 7036f06a 12770 7036f01a 12768->12770 12769->12770 12771 7036f035 12770->12771 12772 7036f025 WdsSetupLogInit 12770->12772 12770->12774 12776 7037cc89 12771->12776 12772->12771 12772->12774 12782 7036f087 12774->12782 12775->12764 12777 7037cc9d 12776->12777 12778 7037cc96 12776->12778 12781 7037cccc 12777->12781 12792 7037b526 12777->12792 12788 70388a68 12778->12788 12781->12774 12783 7036f09d LeaveCriticalSection 12782->12783 12784 7036f08b 12782->12784 12783->12767 12785 7036f094 12784->12785 12804 7037cd00 12784->12804 12785->12783 12787 7036f098 WdsSetupLogDestroy 12785->12787 12787->12783 12789 70388a7d malloc 12788->12789 12790 70388a8c 12789->12790 12791 70388a70 _callnewh 12789->12791 12790->12777 12791->12789 12791->12790 12793 7037b5af 12792->12793 12794 7037b53e 12792->12794 12795 7037ce2b 4 API calls 12793->12795 12794->12793 12796 7037b543 12794->12796 12798 7037b57a 12795->12798 12799 7037ce2b 12796->12799 12798->12781 12800 7037ce45 12799->12800 12803 7037ce3d 12799->12803 12801 7037ce57 GetProcessHeap HeapReAlloc 12800->12801 12802 7037ce6f GetProcessHeap HeapAlloc 12800->12802 12801->12803 12802->12803 12803->12798 12805 7037cd0d 12804->12805 12807 7037cd14 12804->12807 12808 70373142 12805->12808 12807->12785 12809 703731a7 12808->12809 12817 70373180 12808->12817 12827 7037ce9b 12809->12827 12811 703731b3 12832 7037cda0 12811->12832 12813 703731bb 12815 7037cda0 2 API calls 12813->12815 12816 703731c2 12815->12816 12816->12807 12817->12809 12818 70378d95 12817->12818 12819 70378e28 12818->12819 12824 70378dc4 12818->12824 12836 70378f6e 12819->12836 12821 70378e2f 12841 70377f17 12821->12841 12835 703692a2 ConstructPartialMsgVW 12824->12835 12826 70378dff WdsSetupLogMessageW 12826->12819 12828 7037ceb5 12827->12828 12831 7037cead 12827->12831 12829 7037cee3 GetProcessHeap HeapAlloc 12828->12829 12830 7037cec9 GetProcessHeap HeapReAlloc 12828->12830 12829->12831 12830->12831 12831->12811 12833 7037cddb 12832->12833 12834 7037cdcb GetProcessHeap HeapFree 12832->12834 12833->12813 12834->12833 12835->12826 12837 70378f8e 12836->12837 12850 703692a2 ConstructPartialMsgVW 12837->12850 12839 70378fb9 WdsSetupLogMessageW 12840 70378fe8 12839->12840 12840->12821 12851 70377f78 12841->12851 12848 7037cda0 2 API calls 12849 70377f5f 12848->12849 12849->12817 12850->12839 12862 703735a6 12851->12862 12854 7037308f 12855 703735a6 ctype UnmapViewOfFile 12854->12855 12856 703730bb 12855->12856 12857 703735a6 ctype UnmapViewOfFile 12856->12857 12858 703730cd 12857->12858 12859 70372d9c 12858->12859 12860 70372dbb 12859->12860 12861 70372da8 GetProcessHeap HeapFree 12859->12861 12860->12848 12861->12860 12863 703735b0 12862->12863 12865 703735c3 12862->12865 12864 703735b6 UnmapViewOfFile 12863->12864 12863->12865 12864->12865 12865->12854 12866 7037e5e0 12931 70389880 12866->12931 12874 7037ebe4 12876 7037e73a GetLastError 12877 7037e745 12876->12877 12878 7037e7a0 12877->12878 12879 7037eb6d WdsLogRegStockProviders WdsLogCreate 12877->12879 12880 7037eb94 12877->12880 12881 7037e7d5 GetWindowsDirectoryA 12878->12881 13008 7037d0eb 12878->13008 12879->12878 12879->12880 13012 70389040 12880->13012 12883 7037e7eb 12881->12883 12967 703691e5 12883->12967 12888 703691e5 _vsnwprintf 12889 7037ea3d 12888->12889 12890 703691e5 _vsnwprintf 12889->12890 12920 7037f03c 12889->12920 12891 7037ea6a 12890->12891 12892 703691e5 _vsnwprintf 12891->12892 12891->12920 12893 7037ea97 12892->12893 12894 703691e5 _vsnwprintf 12893->12894 12893->12920 12895 7037eac4 12894->12895 12896 703691e5 _vsnwprintf 12895->12896 12895->12920 12897 7037eaf1 12896->12897 12898 703691e5 _vsnwprintf 12897->12898 12897->12920 12901 7037eb1e 12898->12901 12899 7037ec2b 12900 7037ec52 12899->12900 12905 7037ec3c SetUnhandledExceptionFilter 12899->12905 12971 7037dbe4 12900->12971 12901->12899 12902 7037eb68 ExpandEnvironmentStringsW 12901->12902 12903 703691e5 _vsnwprintf 12901->12903 12901->12920 12908 7037ec22 CreateDirectoryW 12902->12908 12909 7037ec02 GetFileAttributesW 12902->12909 12907 7037eb5d 12903->12907 12905->12900 12907->12899 12907->12902 12908->12899 12909->12908 12911 7037ec0d 12909->12911 12910 7037ec57 12912 7037eca5 12910->12912 12910->12920 12977 70381380 12910->12977 12911->12899 12911->12908 12912->12920 12921 7037ecfd 12912->12921 12928 70381380 70 API calls 12912->12928 12913 7037ef1b 12914 7037ef37 GetCurrentProcessId 12913->12914 12916 7037ef62 12913->12916 12913->12920 12914->12916 12915 7037f003 12919 7037f030 RtlAddVectoredExceptionHandler 12915->12919 12915->12920 12916->12915 12995 703811d0 12916->12995 12917 7037eee3 12917->12920 12929 70381380 70 API calls 12917->12929 12918 7037efb2 12918->12915 12922 7037efbe GetLastError 12918->12922 12919->12920 13002 7037f08b 12920->13002 12921->12913 12921->12920 12930 70381380 70 API calls 12921->12930 13001 703692a2 ConstructPartialMsgVW 12922->13001 12924 7037efd8 WdsSetupLogMessageW 12924->12915 12928->12921 12929->12913 12930->12917 12932 7037e604 8 API calls 12931->12932 12933 70384e42 12932->12933 12934 70384e64 12933->12934 12944 70385019 12933->12944 12936 70384e9b 12934->12936 12937 70384e7f GetVersion 12934->12937 12935 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 12938 7037e6fb 12935->12938 12939 70384f1a 12936->12939 12940 70384eae GetModuleHandleW 12936->12940 12937->12936 12938->12880 12948 7037d33c 12938->12948 12941 70384f60 memset ExpandEnvironmentStringsW 12939->12941 12940->12941 12942 70384f03 GetProcAddress 12940->12942 12941->12944 12945 70384fe0 LoadLibraryExW 12941->12945 12942->12941 12943 70384f13 12942->12943 12943->12941 12944->12935 12946 70384ff3 FreeLibrary 12945->12946 12947 70385006 GetProcAddress 12945->12947 12946->12944 12947->12944 13017 7038851e AllocateAndInitializeSid 12948->13017 12951 7037d366 12956 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 12951->12956 12952 7037d36b AllocateAndInitializeSid 12952->12951 12953 7037d388 CheckTokenMembership 12952->12953 12954 7037d3a0 FreeSid 12953->12954 12955 7037d39d 12953->12955 12954->12951 12955->12954 12957 7037d3b6 12956->12957 12958 70384cd0 12957->12958 13026 70384474 12958->13026 12962 70384d1e 13054 70384751 12962->13054 12963 70384d0f 12963->12962 12965 70384d15 WaitForSingleObject 12963->12965 12965->12962 12968 703691f2 12967->12968 12970 70369219 12967->12970 12969 703691f9 _vsnwprintf 12968->12969 12968->12970 12969->12970 12970->12888 12970->12920 12972 7037dbf0 12971->12972 12973 7037dc11 12972->12973 12974 7037dc01 TlsAlloc 12972->12974 12975 7037dc2a 12973->12975 12976 7037dc1a TlsAlloc 12973->12976 12974->12973 12974->12975 12975->12910 12976->12975 12981 7038138c 12977->12981 12978 703815ea 13098 70381627 12978->13098 12980 703813a7 12980->12912 12981->12978 12981->12980 12982 7038141b 12981->12982 13070 70386270 12981->13070 12982->12978 13081 70385af0 12982->13081 12983 703814f2 GetProcessHeap HeapAlloc 12983->12978 12985 7038150f 12983->12985 12984 70381497 12984->12978 12984->12983 12988 7038153f 12985->12988 13091 70381976 12985->13091 12987 703815ba 13094 703824e4 12987->13094 12988->12978 12988->12987 13087 70386410 12988->13087 12991 703824e4 9 API calls 12991->12978 12998 703811dc 12995->12998 12997 7038127a 12997->12918 12999 7038124c 12998->12999 13185 70387490 12998->13185 13191 703812a3 12999->13191 13001->12924 13003 7037f094 13002->13003 13005 7037f0a3 13002->13005 13004 7037f09e WdsSetupLogDestroy 13003->13004 13003->13005 13004->13005 13326 703847b0 FindCloseChangeNotification 13005->13326 13009 7037d0f7 13008->13009 13010 7037d110 13008->13010 13009->13010 13329 7037d17a _vsnprintf 13009->13329 13010->12881 13010->12883 13013 70389048 13012->13013 13014 7038904b 13012->13014 13013->12874 13331 70389056 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13014->13331 13016 70389192 13016->12874 13018 70388590 GetLastError 13017->13018 13019 70388563 CheckTokenMembership 13017->13019 13022 70388598 SetLastError 13018->13022 13020 70388578 13019->13020 13021 7038857d GetLastError 13019->13021 13023 70388585 FreeSid 13020->13023 13021->13023 13024 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13022->13024 13023->13022 13025 7037d362 13024->13025 13025->12951 13025->12952 13058 70389820 13026->13058 13028 70384480 InitializeSecurityDescriptor 13029 703846a9 13028->13029 13030 703844c0 AllocateAndInitializeSid 13028->13030 13059 703846ed 13029->13059 13030->13029 13031 703844e5 AllocateAndInitializeSid 13030->13031 13031->13029 13033 70384506 AllocateAndInitializeSid 13031->13033 13033->13029 13036 70384527 GetCurrentThread OpenThreadToken 13033->13036 13035 703846d3 CreateMutexW 13035->12962 13035->12963 13038 7038456c 13036->13038 13039 70384540 GetLastError 13036->13039 13037 703846c2 GetProcessHeap HeapFree 13037->13035 13038->13029 13041 70384577 GetTokenInformation 13038->13041 13039->13029 13040 70384551 GetCurrentProcess OpenProcessToken 13039->13040 13040->13029 13040->13038 13041->13029 13042 7038458e GetLastError 13041->13042 13042->13029 13043 7038459d GetProcessHeap HeapAlloc 13042->13043 13043->13029 13044 703845bd GetTokenInformation 13043->13044 13044->13029 13045 703845d8 6 API calls 13044->13045 13045->13029 13046 70384623 InitializeAcl 13045->13046 13046->13029 13047 70384631 AddAccessAllowedAce 13046->13047 13047->13029 13048 70384647 AddAccessAllowedAce 13047->13048 13048->13029 13049 70384658 AddAccessAllowedAce 13048->13049 13049->13029 13050 70384670 EqualSid 13049->13050 13051 7038467f AddAccessAllowedAce 13050->13051 13052 70384693 SetSecurityDescriptorDacl 13050->13052 13051->13029 13051->13052 13052->13029 13053 703846a6 13052->13053 13053->13029 13055 7037e72e 13054->13055 13056 70384755 GetProcessHeap HeapFree 13054->13056 13055->12876 13055->12877 13056->13055 13057 70384769 DebugBreak 13056->13057 13057->13055 13058->13028 13060 703846ff 13059->13060 13061 703846f3 FreeSid 13059->13061 13062 70384711 13060->13062 13063 70384705 FreeSid 13060->13063 13061->13060 13064 70384723 13062->13064 13065 70384717 FreeSid 13062->13065 13063->13062 13066 7038472a FindCloseChangeNotification 13064->13066 13067 70384734 13064->13067 13065->13064 13066->13067 13068 70384738 GetProcessHeap HeapFree 13067->13068 13069 703846b8 13067->13069 13068->13069 13069->13035 13069->13037 13071 70386284 13070->13071 13080 703862d8 13070->13080 13072 703862aa GetProcessHeap HeapFree 13071->13072 13073 703862bb GetProcessHeap HeapAlloc 13071->13073 13071->13080 13072->13073 13074 703862e9 13073->13074 13073->13080 13074->13080 13110 703852b4 13074->13110 13079 7038633c GetFileSizeEx 13079->13080 13080->12982 13082 70385b13 13081->13082 13085 70385b9b 13081->13085 13082->13085 13137 70380750 13082->13137 13083 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13084 70385bb2 13083->13084 13084->12984 13085->13083 13088 70386429 13087->13088 13149 70386380 13088->13149 13161 703818f3 13091->13161 13093 70381993 13093->12988 13096 703824f5 13094->13096 13097 703815de 13094->13097 13096->13097 13165 70382554 13096->13165 13097->12991 13099 7038162e 13098->13099 13100 7038168e 13098->13100 13101 70381644 13099->13101 13102 70381635 GetProcessHeap HeapFree 13099->13102 13100->12980 13103 70381652 13101->13103 13176 70382b99 13101->13176 13102->13101 13105 70382b99 4 API calls 13103->13105 13108 70381660 13103->13108 13105->13108 13106 70381687 13107 70382b99 4 API calls 13106->13107 13107->13100 13108->13100 13108->13106 13180 70381a37 13108->13180 13111 703852df 13110->13111 13127 70384dc0 13111->13127 13113 703852fb GetLastError 13114 703852e8 13113->13114 13117 70384dc0 39 API calls 13114->13117 13115 7038534f 13115->13080 13118 70385391 13115->13118 13117->13115 13119 703853b1 13118->13119 13134 70384810 SetFilePointer 13119->13134 13121 703853f0 13121->13079 13121->13080 13122 703853b7 GetLastError 13122->13121 13123 703853c2 13122->13123 13124 703853e8 SetLastError 13123->13124 13125 703853dd GetLastError 13123->13125 13124->13121 13125->13121 13125->13124 13128 70384dd3 13127->13128 13129 70384df4 CreateFileW 13127->13129 13130 70384474 35 API calls 13128->13130 13131 70384751 3 API calls 13129->13131 13133 70384ddb 13130->13133 13132 70384e17 13131->13132 13132->13113 13132->13114 13133->13129 13135 7038484e 13134->13135 13136 70384840 GetLastError 13134->13136 13135->13121 13135->13122 13136->13135 13142 703851d2 13137->13142 13140 70380770 13140->13085 13141 703851d2 6 API calls 13141->13140 13143 70385216 13142->13143 13144 703851e6 GetProcessHeap RtlAllocateHeap 13142->13144 13146 70385221 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 13143->13146 13147 70380763 13143->13147 13144->13147 13148 70385249 13146->13148 13147->13140 13147->13141 13148->13147 13150 703863a6 13149->13150 13151 703863d5 13150->13151 13154 703863ea 13150->13154 13155 70385403 13150->13155 13153 70385403 6 API calls 13151->13153 13151->13154 13153->13154 13154->12987 13156 70385391 5 API calls 13155->13156 13157 70385414 13156->13157 13158 70385435 13157->13158 13160 70384860 WriteFile 13157->13160 13158->13151 13160->13158 13162 70381910 _wcsicmp 13161->13162 13163 70381933 13161->13163 13162->13163 13164 70381926 13162->13164 13163->13093 13164->13162 13164->13163 13170 70385264 13165->13170 13168 70382592 13168->13097 13169 7038257c memset 13169->13168 13171 7038527d 13170->13171 13172 70385273 13170->13172 13173 70385286 GetProcessHeap HeapReAlloc 13171->13173 13175 7038256f 13171->13175 13174 703851d2 6 API calls 13172->13174 13173->13175 13174->13175 13175->13168 13175->13169 13179 70382bbc 13176->13179 13177 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13178 70382c22 13177->13178 13178->13103 13179->13177 13181 703818f3 _wcsicmp 13180->13181 13182 70381a4f 13181->13182 13183 70381a8b 13182->13183 13184 70381a77 memcpy 13182->13184 13183->13106 13184->13183 13186 703874a0 13185->13186 13190 703874b2 13185->13190 13195 70387601 13186->13195 13190->12999 13192 703812aa 13191->13192 13194 703812d4 13191->13194 13193 70382b99 4 API calls 13192->13193 13192->13194 13193->13194 13194->12997 13196 70387612 13195->13196 13197 70387623 13196->13197 13220 70387524 13196->13220 13199 703874a7 13197->13199 13200 70387627 memset 13197->13200 13201 70387a71 13199->13201 13200->13199 13241 703896a4 13201->13241 13203 70387a7d _wfopen 13204 70387c7d 13203->13204 13205 70387ab6 GetProcessHeap HeapAlloc 13203->13205 13261 70387ca6 13204->13261 13207 70387adb 13205->13207 13207->13204 13209 70387ae4 fgetws 13207->13209 13211 70387b20 GetProcessHeap HeapReAlloc 13207->13211 13214 70387b9c iswctype 13207->13214 13215 70387c45 swscanf_s 13207->13215 13216 70387bdc GetProcessHeap HeapFree 13207->13216 13217 70387bfe GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 13207->13217 13218 70387bef GetProcessHeap HeapFree 13207->13218 13242 70387813 13207->13242 13209->13207 13210 70387c76 13209->13210 13210->13204 13211->13204 13212 70387b49 fgetws 13211->13212 13212->13207 13213 70387b71 feof 13212->13213 13213->13204 13213->13207 13214->13207 13215->13204 13215->13207 13216->13207 13217->13204 13217->13207 13218->13217 13221 70387537 13220->13221 13222 70387548 13221->13222 13228 703875d4 13221->13228 13224 7038754c memset 13222->13224 13226 70387563 13222->13226 13224->13226 13225 7038756e 13225->13196 13226->13225 13232 70387581 13226->13232 13229 703875e3 13228->13229 13230 703875ef 13228->13230 13229->13230 13237 7036f92c GetProcessHeap HeapFree 13229->13237 13230->13221 13238 70380693 13232->13238 13235 7037cda0 2 API calls 13236 703875bb 13235->13236 13236->13225 13237->13230 13239 703806bf 13238->13239 13240 703806a7 GetProcessHeap HeapFree 13238->13240 13239->13235 13240->13239 13241->13203 13272 703896a4 13242->13272 13244 7038781f _wcsicmp 13245 70387853 _wcsicmp 13244->13245 13246 7038784f 13244->13246 13245->13246 13247 70387882 _wcsicmp 13246->13247 13248 70387896 13246->13248 13247->13248 13249 703878a7 13247->13249 13291 70387a1a 13248->13291 13249->13248 13251 703878b5 6 API calls 13249->13251 13251->13248 13253 703878f8 13251->13253 13253->13248 13273 703874c8 13253->13273 13255 7038792e wcstok_s 13256 703879db 13255->13256 13257 70387941 swscanf_s 13255->13257 13258 703824e4 9 API calls 13256->13258 13259 70387910 13257->13259 13258->13248 13259->13248 13259->13255 13279 703876ba 13259->13279 13262 70387cad fclose 13261->13262 13263 70387cb5 13261->13263 13262->13263 13264 70387cc3 13263->13264 13265 70387601 8 API calls 13263->13265 13266 70387cd6 13264->13266 13267 70387cc7 GetProcessHeap HeapFree 13264->13267 13265->13264 13268 70387ce9 13266->13268 13269 70387cda GetProcessHeap HeapFree 13266->13269 13267->13266 13270 70387c89 13268->13270 13271 70387cf0 GetProcessHeap HeapFree 13268->13271 13269->13268 13270->13190 13271->13270 13272->13244 13274 703874d4 __EH_prolog3 13273->13274 13275 70388a68 2 API calls 13274->13275 13276 703874db 13275->13276 13277 70382554 9 API calls 13276->13277 13278 7038750c 13276->13278 13277->13278 13278->13259 13281 703876c6 13279->13281 13280 703876e3 _wcsicmp 13280->13281 13284 703876f9 13280->13284 13281->13280 13281->13284 13285 70388a68 2 API calls 13284->13285 13290 703877c9 13284->13290 13286 70387786 13285->13286 13286->13290 13301 70387649 13286->13301 13289 703824e4 9 API calls 13289->13290 13309 703877fe 13290->13309 13292 70387a28 13291->13292 13293 70387a1e 13291->13293 13294 70387a3e 13292->13294 13295 70387a2f GetProcessHeap HeapFree 13292->13295 13293->13292 13296 70387524 7 API calls 13293->13296 13297 70387a54 13294->13297 13298 70387a45 GetProcessHeap HeapFree 13294->13298 13295->13294 13296->13292 13299 703879fe 13297->13299 13300 70387a5b GetProcessHeap HeapFree 13297->13300 13298->13297 13299->13207 13300->13299 13302 7038765d 13301->13302 13303 70387696 13301->13303 13304 70387662 13302->13304 13305 70387684 _wtoi 13302->13305 13308 70387674 13303->13308 13321 70383584 13303->13321 13304->13308 13313 70387f2c 13304->13313 13305->13308 13308->13289 13308->13290 13310 703877e4 13309->13310 13311 70387802 13309->13311 13310->13259 13311->13310 13312 703875d4 2 API calls 13311->13312 13312->13310 13314 70387fc4 13313->13314 13315 70387f4b swscanf_s 13313->13315 13319 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13314->13319 13316 70387f8e 13315->13316 13317 70387f6e swscanf_s 13315->13317 13316->13314 13318 70387fb3 SystemTimeToVariantTime 13316->13318 13317->13314 13317->13316 13318->13314 13320 70387fd7 13319->13320 13320->13308 13322 7038358d 13321->13322 13323 70383591 13321->13323 13322->13308 13324 70383598 GetProcessHeap HeapAlloc 13323->13324 13325 703835b0 13324->13325 13325->13308 13327 7037f0cb 13326->13327 13328 703847c2 DebugBreak 13326->13328 13327->12880 13328->13327 13330 7037d19e 13329->13330 13330->13010 13331->13016 13332 7037f850 GetLastError memset 13333 7037fb29 13332->13333 13336 7037f8eb 13332->13336 13335 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13333->13335 13334 7037f95a 13344 7037f9a1 13334->13344 13373 7037d3be 13334->13373 13337 7037fb3c 13335->13337 13336->13333 13336->13334 13336->13336 13338 7037f910 GetProcessHeap HeapAlloc 13336->13338 13338->13334 13339 7037f938 13338->13339 13341 703691e5 _vsnwprintf 13339->13341 13343 7037f948 13341->13343 13343->13334 13345 7037fa3f 13344->13345 13376 7037f532 13344->13376 13365 7037f35c GetLocalTime SystemTimeToVariantTime 13345->13365 13350 7037fa0e 13380 7037f7d2 13350->13380 13351 7037f98c wcsrchr 13351->13344 13353 7037fa1e 13389 70385039 GetModuleHandleExA 13353->13389 13354 7037fad7 13369 70382190 13354->13369 13357 7037fad9 13358 7037fae6 GetProcessHeap HeapFree 13357->13358 13359 7037faf5 13357->13359 13358->13359 13360 7037fb06 13359->13360 13361 7037fafa WdsSetupLogDestroy ExitProcess 13359->13361 13362 7037fb0c RaiseException 13360->13362 13363 7037fb1b SetLastError 13360->13363 13362->13363 13363->13333 13366 7037f399 13365->13366 13367 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13366->13367 13368 7037f3ab GetCurrentThreadId GetMinorTask GetMajorTask 13367->13368 13368->13354 13371 7038219c 13369->13371 13372 7038231e 13371->13372 13393 70381dbd 13371->13393 13372->13357 13374 7037d3e9 13373->13374 13375 7037d3d8 VirtualQuery 13373->13375 13374->13344 13374->13351 13375->13374 13377 7037f53b 13376->13377 13379 7037f540 13376->13379 13414 7037f466 memset RegOpenKeyExW 13377->13414 13379->13345 13379->13350 13429 703835cc 13380->13429 13382 7037f7e2 13383 703835cc 3 API calls 13382->13383 13384 7037f7eb 13383->13384 13385 703835cc 3 API calls 13384->13385 13386 7037f7f5 13385->13386 13436 7037f55a GetProcessHeap HeapAlloc GetProcessHeap HeapReAlloc 13386->13436 13388 7037f801 6 API calls 13388->13353 13390 7037fa2f GetProcessHeap HeapFree 13389->13390 13391 70385061 13389->13391 13390->13345 13391->13390 13392 70385067 GetProcAddress 13391->13392 13392->13390 13394 70381dc9 13393->13394 13395 70381dde 13394->13395 13399 70381de6 13394->13399 13401 70381c15 GetProcessHeap HeapAlloc 13395->13401 13398 70381f02 13398->13372 13399->13398 13400 70386380 6 API calls 13399->13400 13400->13399 13402 70381d58 13401->13402 13408 70381c4b 13401->13408 13402->13399 13403 70381d3a GetProcessHeap HeapAlloc 13405 70381d51 13403->13405 13404 70381cf0 GetProcessHeap HeapAlloc 13404->13405 13405->13402 13409 70381da1 GetProcessHeap HeapFree 13405->13409 13412 70381d7e GetProcessHeap HeapFree 13405->13412 13413 70381d9f 13405->13413 13406 70381c8f GetProcessHeap HeapAlloc 13406->13408 13407 70381d13 GetProcessHeap HeapAlloc 13407->13408 13408->13406 13408->13407 13410 70381cab memcpy 13408->13410 13411 70381cdf 13408->13411 13409->13402 13410->13408 13411->13403 13411->13404 13411->13405 13412->13405 13413->13409 13415 7037f4c2 RegQueryValueExW 13414->13415 13416 7037f4f8 GetEnvironmentVariableW 13414->13416 13417 7037f4e7 13415->13417 13418 7037f4e8 RegCloseKey 13415->13418 13419 7037f513 13416->13419 13420 7037f51e 13416->13420 13417->13418 13418->13416 13418->13419 13424 7037f3b3 13419->13424 13422 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13420->13422 13423 7037f52a 13422->13423 13423->13379 13425 7037f3c6 wcsrchr 13424->13425 13428 7037f454 13424->13428 13427 7037f3dc 13425->13427 13426 7037f3f9 towlower towlower 13426->13427 13427->13426 13427->13428 13428->13420 13430 703835d9 13429->13430 13431 703835d5 13429->13431 13432 703835e0 GetProcessHeap HeapAlloc 13430->13432 13431->13382 13433 703835f8 13432->13433 13435 70383605 13432->13435 13456 70372cf6 13433->13456 13435->13382 13437 7037f596 13436->13437 13437->13437 13438 7037f59e strrchr 13437->13438 13439 7037f5be GetProcessHeap HeapReAlloc 13438->13439 13441 7037f5ee 13439->13441 13441->13441 13442 7037f602 GetProcessHeap HeapReAlloc 13441->13442 13444 7037f630 13442->13444 13443 7037f698 GetProcessHeap HeapReAlloc 13446 7037f6bd 13443->13446 13444->13443 13444->13444 13445 7037f656 GetProcessHeap HeapReAlloc 13444->13445 13452 7037f676 13445->13452 13447 7037f6d5 strrchr 13446->13447 13448 7037f741 GetProcessHeap HeapReAlloc 13446->13448 13449 7037f717 13447->13449 13450 7037f6e9 GetProcessHeap HeapReAlloc 13447->13450 13453 7037f75a 13448->13453 13449->13448 13450->13449 13452->13443 13453->13453 13454 7037f77f GetProcessHeap HeapReAlloc 13453->13454 13455 7037f79b 13453->13455 13454->13455 13455->13388 13455->13455 13457 70372d03 13456->13457 13459 70372d2a 13456->13459 13458 70372d0a _vsnprintf 13457->13458 13457->13459 13458->13459 13459->13435 13460 703800a0 13461 703800be GetLastError 13460->13461 13462 703800b7 13460->13462 13481 7037fdab 13461->13481 13465 703801f0 SetLastError 13465->13462 13466 703801e6 13466->13465 13467 703800fa FormatMessageW 13468 70380122 13467->13468 13469 7038013c GetProcessHeap HeapAlloc 13468->13469 13470 70380185 13468->13470 13471 7038015c 13469->13471 13472 7038016c 13469->13472 13474 703691e5 _vsnwprintf 13470->13474 13473 703691e5 _vsnwprintf 13471->13473 13472->13470 13473->13472 13475 703801a4 13474->13475 13497 7037d089 13475->13497 13478 703801d5 13478->13466 13480 703801db LocalFree 13478->13480 13479 703801c5 GetProcessHeap HeapFree 13479->13478 13480->13466 13501 703896a4 13481->13501 13483 7037fdb7 TlsGetValue 13484 7037ff07 13483->13484 13485 7037fdd4 EnterCriticalSection 13483->13485 13484->13465 13484->13466 13484->13467 13484->13468 13486 7037fe1b 13485->13486 13487 7037fdea GetProcessHeap HeapAlloc 13485->13487 13489 7037fe5e GetProcessHeap RtlAllocateHeap 13486->13489 13490 7037fe2b GetProcessHeap HeapReAlloc 13486->13490 13488 7037fe07 13487->13488 13493 7037fea6 13487->13493 13488->13489 13492 7037fe84 TlsSetValue 13489->13492 13489->13493 13491 7037fe4d 13490->13491 13490->13493 13491->13489 13492->13493 13494 7037febf 13493->13494 13495 7037feda TlsSetValue GetProcessHeap HeapFree 13493->13495 13496 7037fefa LeaveCriticalSection 13494->13496 13495->13496 13496->13484 13498 7037d096 13497->13498 13499 7037d0b9 13497->13499 13498->13499 13500 7037d09e _vsnwprintf 13498->13500 13499->13478 13499->13479 13500->13499 13501->13483 13502 703823c0 13503 70384e42 12 API calls 13502->13503 13504 703823cd 13503->13504 13505 70388a68 2 API calls 13504->13505 13511 70382405 13504->13511 13506 703823d8 13505->13506 13506->13511 13513 70380936 13506->13513 13508 703823e4 13508->13511 13528 70380c1a 13508->13528 13514 70380942 __EH_prolog3 13513->13514 13515 70388a68 2 API calls 13514->13515 13516 70380986 13515->13516 13517 703809ae 13516->13517 13518 70382554 9 API calls 13516->13518 13519 70388a68 2 API calls 13517->13519 13518->13517 13520 703809c0 13519->13520 13521 70382554 9 API calls 13520->13521 13524 703809ec 13520->13524 13521->13524 13522 70380a08 13523 70380a15 RaiseException 13522->13523 13526 70380a4a 4 API calls 13522->13526 13525 70380a24 13523->13525 13524->13522 13524->13525 13550 70380a4a 13524->13550 13525->13508 13526->13523 13530 70380c26 13528->13530 13529 70380d8b 13529->13511 13541 70380aab 13529->13541 13530->13529 13540 70384cd0 40 API calls 13530->13540 13531 70380c66 13531->13529 13555 70380b42 13531->13555 13533 70380c8a 13534 70380d75 13533->13534 13536 70380cb4 GetProcessHeap RtlAllocateHeap 13533->13536 13571 70380d95 13534->13571 13536->13534 13537 70380cd7 memset 13536->13537 13539 70380cf4 13537->13539 13539->13534 13565 7038082a 13539->13565 13540->13531 13542 703810d8 12 API calls 13541->13542 13543 70380ae4 13542->13543 13544 70380af1 13543->13544 13545 70380a4a 4 API calls 13543->13545 13546 70380b02 13544->13546 13547 70380a4a 4 API calls 13544->13547 13545->13544 13548 7037cda0 2 API calls 13546->13548 13547->13546 13549 70380b0e 13548->13549 13549->13511 13551 70380693 2 API calls 13550->13551 13552 70380a7e 13551->13552 13553 7037cda0 2 API calls 13552->13553 13554 70380a86 13553->13554 13554->13522 13556 70380b4e __EH_prolog3 13555->13556 13557 703851d2 6 API calls 13556->13557 13561 70380b86 13557->13561 13558 70380bff 13559 7037cda0 2 API calls 13558->13559 13560 70380c0a 13559->13560 13560->13533 13561->13558 13577 70385129 13561->13577 13563 70380bbc 13563->13558 13564 70380bcc memset 13563->13564 13564->13558 13566 70380836 __EH_prolog3 13565->13566 13567 703808d6 13566->13567 13568 70388a68 2 API calls 13566->13568 13567->13534 13569 70380870 13568->13569 13569->13567 13570 703851d2 6 API calls 13569->13570 13570->13569 13572 70380d99 13571->13572 13574 70380da0 13571->13574 13592 70380fa3 13572->13592 13575 70380db3 13574->13575 13596 703810d8 13574->13596 13575->13529 13578 70385137 13577->13578 13583 70384d40 13578->13583 13580 70385158 13580->13563 13584 70384474 35 API calls 13583->13584 13585 70384d55 CreateFileMappingW 13584->13585 13587 70384751 3 API calls 13585->13587 13588 70384d8d 13587->13588 13589 70384d91 13588->13589 13590 70384d9c GetLastError 13588->13590 13589->13580 13591 703847e0 MapViewOfFile 13589->13591 13590->13589 13591->13580 13593 703810c6 13592->13593 13594 70380fbc 13592->13594 13593->13574 13594->13593 13595 70381085 memcpy 13594->13595 13595->13594 13597 703810e4 13596->13597 13598 70380fa3 memcpy 13597->13598 13600 70381102 13598->13600 13599 70381134 13601 70381153 13599->13601 13610 70381748 13599->13610 13600->13599 13602 70382b99 4 API calls 13600->13602 13626 703824bb 13601->13626 13602->13599 13606 703824bb memset 13607 7038116f 13606->13607 13608 70381189 GetProcessHeap HeapFree 13607->13608 13609 703811a1 13607->13609 13608->13609 13609->13575 13612 70381773 13610->13612 13616 703817b4 13610->13616 13611 70381828 13614 70382b99 4 API calls 13611->13614 13613 703818f3 _wcsicmp 13612->13613 13613->13616 13622 7038185c 13614->13622 13615 70382b99 4 API calls 13615->13611 13616->13611 13616->13615 13618 703818a3 13616->13618 13617 703818af GetProcessHeap HeapFree 13617->13618 13619 70389040 __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 4 API calls 13618->13619 13620 703818e7 13619->13620 13620->13599 13622->13617 13623 70381a37 2 API calls 13622->13623 13624 7038189f 13623->13624 13624->13618 13625 70382b99 4 API calls 13624->13625 13625->13617 13627 70381167 13626->13627 13628 703824c5 memset 13626->13628 13627->13606 13628->13627

                                                        Executed Functions

                                                        Function 7037E5E0 Relevance: 93.4, APIs: 20, Strings: 33, Instructions: 690windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 7037e5e0-7037e6fd call 70389880 memset * 8 call 70384e42 5 7037e703-7037e70a call 7037d33c 0->5 6 7037ebca 0->6 11 7037e70c-7037e711 5->11 12 7037e71b-7037e738 call 70384cd0 5->12 8 7037ebcc-7037ebe5 call 70389040 6->8 11->12 16 7037e776-7037e77d 12->16 17 7037e73a-7037e743 GetLastError 12->17 20 7037e785-7037e79a 16->20 21 7037e77f 16->21 18 7037e745-7037e768 17->18 19 7037e76e-7037e770 17->19 18->19 19->6 19->16 22 7037e7a0 20->22 23 7037eb6d-7037eb8e WdsLogRegStockProviders WdsLogCreate 20->23 21->20 24 7037e7a6-7037e7b5 22->24 23->24 25 7037eb94-7037eb9a 23->25 27 7037e7b7-7037e7d3 call 7037d0eb 24->27 28 7037e7d5-7037e7e9 GetWindowsDirectoryA 24->28 29 7037eba2-7037ebc8 25->29 30 7037eb9c 25->30 27->28 32 7037e800-7037ea15 call 703691e5 27->32 28->32 33 7037e7eb-7037e7fb call 7037cf83 28->33 29->6 30->29 41 7037f063-7037f070 call 7037f08b 32->41 42 7037ea1b-7037ea42 call 703691e5 32->42 33->32 45 7037f075-7037f07a 41->45 42->41 48 7037ea48-7037ea6f call 703691e5 42->48 45->8 48->41 51 7037ea75-7037ea9c call 703691e5 48->51 51->41 54 7037eaa2-7037eac9 call 703691e5 51->54 54->41 57 7037eacf-7037eaf6 call 703691e5 54->57 57->41 60 7037eafc-7037eb23 call 703691e5 57->60 60->41 63 7037eb29-7037eb2f 60->63 64 7037eb35-7037eb41 63->64 65 7037ec2b-7037ec32 63->65 68 7037eb47-7037eb62 call 703691e5 64->68 69 7037ebe8 64->69 66 7037ec34-7037ec3a 65->66 67 7037ec52-7037ec59 call 7037dbe4 65->67 66->67 72 7037ec3c-7037ec4c SetUnhandledExceptionFilter 66->72 67->41 80 7037ec5f-7037ec68 67->80 68->65 78 7037eb68 68->78 71 7037ebed-7037ec00 ExpandEnvironmentStringsW 69->71 75 7037ec22-7037ec25 CreateDirectoryW 71->75 76 7037ec02-7037ec0b GetFileAttributesW 71->76 72->67 75->65 76->75 79 7037ec0d-7037ec20 call 7036eec7 76->79 78->71 79->65 79->75 81 7037ecbc-7037ecc0 80->81 82 7037ec6a-7037ec6e 80->82 86 7037ed14-7037ed18 81->86 87 7037ecc2-7037ecc6 81->87 82->81 84 7037ec70-7037eca3 call 70381380 82->84 101 7037eca5-7037eca7 84->101 88 7037ed63-7037ed79 86->88 89 7037ed1a-7037ed1e 86->89 87->86 90 7037ecc8-7037ecfb call 70381380 87->90 93 7037edcd-7037edd3 88->93 94 7037ed7b-7037ed7f 88->94 89->88 91 7037ed20-7037ed4e 89->91 109 7037ecfd-7037ecff 90->109 91->41 116 7037ed54-7037ed5e 91->116 95 7037edd5-7037edd9 93->95 96 7037ee1b-7037ee1d 93->96 94->93 97 7037ed81-7037edb8 94->97 95->96 99 7037eddb-7037ee03 95->99 102 7037ee1f-7037ee21 96->102 103 7037ee9e-7037eea5 96->103 97->41 126 7037edbe-7037edc8 97->126 99->41 127 7037ee09-7037ee15 99->127 101->41 106 7037ecad-7037ecb7 101->106 102->103 107 7037ee23-7037ee51 102->107 104 7037ef2d-7037ef35 103->104 105 7037eeab-7037eeb1 103->105 110 7037ef37-7037ef80 GetCurrentProcessId 104->110 111 7037ef86-7037ef92 104->111 105->104 114 7037eeb3-7037eee5 call 70381380 105->114 106->81 107->41 137 7037ee57-7037ee8e 107->137 109->41 115 7037ed05-7037ed0f 109->115 110->111 118 7037ef94-7037efb4 call 703811d0 111->118 119 7037f003-7037f00a 111->119 114->41 140 7037eeeb-7037ef19 call 70381380 114->140 115->86 116->88 118->119 143 7037efb6-7037efbc 118->143 123 7037f03c-7037f042 119->123 124 7037f00c-7037f012 119->124 129 7037f044-7037f049 123->129 130 7037f04b-7037f051 123->130 124->123 128 7037f014-7037f032 RtlAddVectoredExceptionHandler 124->128 126->93 127->96 128->123 135 7037f058-7037f061 129->135 130->41 136 7037f053-7037f055 130->136 135->41 136->135 137->41 150 7037ee94 137->150 152 7037ef1b-7037ef1d 140->152 143->119 145 7037efbe-7037efd3 GetLastError call 703692a2 143->145 151 7037efd8-7037f000 WdsSetupLogMessageW 145->151 150->103 151->119 152->41 153 7037ef23 152->153 153->104
                                                        APIs
                                                        • memset.MSVCRT ref: 7037E660
                                                        • memset.MSVCRT ref: 7037E674
                                                        • memset.MSVCRT ref: 7037E683
                                                        • memset.MSVCRT ref: 7037E692
                                                        • memset.MSVCRT ref: 7037E6A1
                                                        • memset.MSVCRT ref: 7037E6B0
                                                        • memset.MSVCRT ref: 7037E6C2
                                                        • memset.MSVCRT ref: 7037E6D1
                                                          • Part of subcall function 70384E42: GetVersion.KERNEL32(?), ref: 70384E85
                                                          • Part of subcall function 70384E42: GetModuleHandleW.KERNEL32(kernel32,?), ref: 70384EF9
                                                          • Part of subcall function 70384E42: GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 70384F09
                                                          • Part of subcall function 70384E42: memset.MSVCRT ref: 70384FBD
                                                          • Part of subcall function 70384E42: ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104,?,?,?), ref: 70384FD6
                                                          • Part of subcall function 70384E42: LoadLibraryExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 70384FE9
                                                          • Part of subcall function 70384E42: FreeLibrary.KERNEL32(00000000,?,?,?), ref: 70384FFE
                                                        • GetLastError.KERNEL32 ref: 7037E73A
                                                        • GetWindowsDirectoryA.KERNEL32(?,000000FA,|Y6p,70365DC0,00000011), ref: 7037E7E1
                                                          • Part of subcall function 703691E5: _vsnwprintf.MSVCRT ref: 7036920C
                                                        • ExpandEnvironmentStringsW.KERNEL32(%WINDIR%\Minidump,C:\$Windows.~WS\Sources\Panther\,00000104), ref: 7037EBF8
                                                        • GetFileAttributesW.KERNEL32(C:\$Windows.~WS\Sources\Panther\), ref: 7037EC03
                                                        • CreateDirectoryW.KERNEL32(C:\$Windows.~WS\Sources\Panther\,00000000), ref: 7037EC25
                                                        • SetUnhandledExceptionFilter.KERNEL32(7037DA00), ref: 7037EC41
                                                        • GetCurrentProcessId.KERNEL32 ref: 7037EF37
                                                        • GetLastError.KERNEL32 ref: 7037EFBE
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000591,onecore\base\ntsetup\panther\wdslog\setuplog.cpp,WdsSetupLogInit,?,00000000,00000000,00000000), ref: 7037EFFB
                                                        • RtlAddVectoredExceptionHandler.NTDLL ref: 7037F030
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: memset$DirectoryEnvironmentErrorExceptionExpandLastLibraryStrings$AddressAttributesCreateCurrentFileFilterFreeHandleHandlerLoadMessageModuleProcProcessSetupUnhandledVectoredVersionWindows_vsnwprintf
                                                        • String ID: %S\%s$%WINDIR%\Minidump$%s\$C:\$Windows.~WS\Sources\Panther\$C:\$Windows.~WS\Sources\SetupHost.Exe$C:\$Windows.~WS\Sources\SetupHost.Exe$CONOUT$$Con$Err$Fil$Fun$Global\SetupLog$Global\WdsSetupLogInit$Msg$SACSetupAct$SACSetupErr$SetupLog$Sev$Uid$Unable to load global log filter.$WdsSetupLogInit$Windows Setup activity log$Windows Setup error log$c:\$debug.log$diagerr.xml$diagwrn.xml$onecore\base\ntsetup\panther\wdslog\setuplog.cpp$setupact.log$setuperr.log$setuplog.cfg$setuplog.xml$|Y6p
                                                        • API String ID: 1849026080-3858379750
                                                        • Opcode ID: 0f3409aa87f941e5695c6810feb0855a52d18e0de1a12a833799e889beb97b7a
                                                        • Instruction ID: 3dab2cd3651c27e7de1e3618e2a226c6a0d5777ffd9d4a9fa8f93cb639f4dcfc
                                                        • Opcode Fuzzy Hash: 0f3409aa87f941e5695c6810feb0855a52d18e0de1a12a833799e889beb97b7a
                                                        • Instruction Fuzzy Hash: 764232B1A002299FDB24CB55CC85BEE77BCBB08350F1041EAE94AE7294D7749E85DF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384474 Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 221memorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 160 70384474-703844ba call 70389820 InitializeSecurityDescriptor 163 703846ac-703846bc call 703846ed 160->163 164 703844c0-703844df AllocateAndInitializeSid 160->164 169 703846be-703846c0 163->169 170 703846d3-703846e4 163->170 164->163 165 703844e5-70384500 AllocateAndInitializeSid 164->165 165->163 167 70384506-70384521 AllocateAndInitializeSid 165->167 167->163 171 70384527-7038453e GetCurrentThread OpenThreadToken 167->171 169->170 172 703846c2-703846d1 GetProcessHeap HeapFree 169->172 173 7038456c-70384571 171->173 174 70384540-7038454b GetLastError 171->174 172->170 173->163 176 70384577-70384588 GetTokenInformation 173->176 174->163 175 70384551-70384566 GetCurrentProcess OpenProcessToken 174->175 175->163 175->173 176->163 177 7038458e-70384597 GetLastError 176->177 177->163 178 7038459d-703845b7 GetProcessHeap HeapAlloc 177->178 179 703846a9 178->179 180 703845bd-703845d2 GetTokenInformation 178->180 179->163 180->179 181 703845d8-7038461d GetLengthSid * 4 GetProcessHeap HeapAlloc 180->181 181->179 182 70384623-7038462f InitializeAcl 181->182 182->179 183 70384631-70384645 AddAccessAllowedAce 182->183 183->179 184 70384647-70384656 AddAccessAllowedAce 183->184 184->179 185 70384658-7038466e AddAccessAllowedAce 184->185 185->163 186 70384670-7038467d EqualSid 185->186 187 7038467f-70384691 AddAccessAllowedAce 186->187 188 70384693-703846a4 SetSecurityDescriptorDacl 186->188 187->179 187->188 188->179 189 703846a6 188->189 189->179
                                                        APIs
                                                        • InitializeSecurityDescriptor.ADVAPI32(?,00000001,7038B628,00000038,70384CE4), ref: 703844B2
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,8L8p,?,00000001,7038B628,00000038,70384CE4), ref: 703844D7
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 703844F8
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,L8p,?,00000001,7038B628,00000038,70384CE4), ref: 70384519
                                                        • GetCurrentThread.KERNEL32 ref: 7038452F
                                                        • OpenThreadToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384536
                                                        • GetLastError.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 70384540
                                                        • GetCurrentProcess.KERNEL32(00000008,00000001,?,00000001,7038B628,00000038,70384CE4), ref: 70384557
                                                        • OpenProcessToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 7038455E
                                                        • GetTokenInformation.KERNELBASE(00000001,00000001(TokenIntegrityLevel),00000000,00000000,?,?,00000001,7038B628,00000038,70384CE4), ref: 70384580
                                                        • GetLastError.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 7038458E
                                                        • GetProcessHeap.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 703845A0
                                                        • HeapAlloc.KERNEL32(00000000,00000008,?,?,00000001,7038B628,00000038,70384CE4), ref: 703845AA
                                                        • GetTokenInformation.KERNELBASE(00000001,00000001(TokenIntegrityLevel),00000000,?,?,?,00000001,7038B628,00000038,70384CE4), ref: 703845CA
                                                        • GetLengthSid.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 703845DA
                                                        • GetLengthSid.ADVAPI32(L8p,?,00000001,7038B628,00000038,70384CE4), ref: 703845E5
                                                        • GetLengthSid.ADVAPI32(7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 703845F0
                                                        • GetLengthSid.ADVAPI32(00000038,?,00000001,7038B628,00000038,70384CE4), ref: 703845FB
                                                        • GetProcessHeap.KERNEL32(00000008,00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384609
                                                        • HeapAlloc.KERNEL32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384610
                                                        • InitializeAcl.ADVAPI32(00000000,00000000,00000002,?,00000001,7038B628,00000038,70384CE4), ref: 70384627
                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,00000038,?,00000001,7038B628,00000038,70384CE4), ref: 7038463D
                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 7038464E
                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C0110000,70384CE4,?,00000001,7038B628,00000038,70384CE4), ref: 70384663
                                                        • EqualSid.ADVAPI32(70384CE4,?,?,00000001,7038B628,00000038,70384CE4), ref: 70384675
                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,C01F0000,?,?,00000001,7038B628,00000038,70384CE4), ref: 70384689
                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000001,00000001,00000000,00000000,?,00000001,7038B628,00000038,70384CE4), ref: 7038469C
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 703846C4
                                                        • HeapFree.KERNEL32(00000000), ref: 703846CB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$InitializeProcess$AccessAllowedLengthToken$Allocate$AllocCurrentDescriptorErrorInformationLastOpenSecurityThread$DaclEqualFree
                                                        • String ID: 8L8p
                                                        • API String ID: 719363623-2724670973
                                                        • Opcode ID: 40f6339606c23c60a6d5ba50747b1c36fd37897ec97d59f7bb2de3a7925cac2a
                                                        • Instruction ID: b1dea197187abfb2d26d65b0194af1e54f008a311387e368996f70ed09ac552f
                                                        • Opcode Fuzzy Hash: 40f6339606c23c60a6d5ba50747b1c36fd37897ec97d59f7bb2de3a7925cac2a
                                                        • Instruction Fuzzy Hash: CC611CB2A00204AFEB119FA6DD48F9EBABDFF19750F314099F506E61D1E7B188449B70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F850 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 239memorythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 190 7037f850-7037f8e5 GetLastError memset 191 7037f8eb-7037f8ed 190->191 192 7037fb29 190->192 191->192 194 7037f8f3-7037f902 191->194 193 7037fb2b-7037fb3f call 70389040 192->193 195 7037f904-7037f906 194->195 196 7037f95a 194->196 198 7037f909-7037f90e 195->198 200 7037f95e-7037f964 196->200 198->198 201 7037f910-7037f936 GetProcessHeap HeapAlloc 198->201 202 7037f966-7037f96f call 7037d3be 200->202 203 7037f9b2-7037f9c0 200->203 201->200 204 7037f938-7037f94d call 703691e5 201->204 217 7037f971-7037f99f wcsrchr 202->217 218 7037f9aa-7037f9ae 202->218 205 7037f9c6-7037f9d4 203->205 206 7037f9c2-7037f9c4 203->206 204->196 219 7037f94f-7037f955 204->219 210 7037f9e7-7037f9ef 205->210 211 7037f9d6-7037f9e5 205->211 206->205 209 7037f9f9-7037f9fb 206->209 215 7037fa05-7037fa0c call 7037f532 209->215 216 7037f9fd-7037fa03 209->216 210->209 214 7037f9f1 210->214 211->210 214->209 220 7037fa3f-7037fad7 call 7037f35c GetCurrentThreadId GetMinorTask GetMajorTask call 70382190 215->220 226 7037fa0e-7037fa39 call 7037f7d2 call 70385039 GetProcessHeap HeapFree 215->226 216->215 216->220 217->218 230 7037f9a1-7037f9a8 217->230 218->203 219->196 234 7037fad9-7037fae4 220->234 226->220 230->203 235 7037fae6-7037faef GetProcessHeap HeapFree 234->235 236 7037faf5-7037faf8 234->236 235->236 237 7037fb06-7037fb0a 236->237 238 7037fafa-7037fb00 WdsSetupLogDestroy ExitProcess 236->238 239 7037fb0c-7037fb15 RaiseException 237->239 240 7037fb1b-7037fb27 SetLastError 237->240 239->240 240->193
                                                        APIs
                                                        • GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                        • memset.MSVCRT ref: 7037F8CF
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • wcsrchr.MSVCRT ref: 7037F993
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 7037FA32
                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 7037FA39
                                                        • GetCurrentThreadId.KERNEL32 ref: 7037FA56
                                                        • GetMinorTask.WDSCORE ref: 7037FA72
                                                        • GetMajorTask.WDSCORE ref: 7037FA7B
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 7037FAE8
                                                        • HeapFree.KERNEL32(00000000), ref: 7037FAEF
                                                        • WdsSetupLogDestroy.WDSCORE ref: 7037FAFA
                                                        • ExitProcess.KERNEL32 ref: 7037FB00
                                                        • RaiseException.KERNEL32(C0000025,00000001,00000000,00000000), ref: 7037FB15
                                                        • SetLastError.KERNEL32(?), ref: 7037FB1F
                                                        Strings
                                                        • <unknown>, xrefs: 7037F8B3
                                                        • C:\$Windows.~WS\Sources\SetupHost.Exe, xrefs: 7037FA97
                                                        • WdsInitializeCallbackArray, xrefs: 7037F8A1
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$ErrorFreeLastTask$AllocCurrentDestroyExceptionExitMajorMinorRaiseSetupThreadmemsetwcsrchr
                                                        • String ID: <unknown>$C:\$Windows.~WS\Sources\SetupHost.Exe$WdsInitializeCallbackArray
                                                        • API String ID: 761975107-2915719201
                                                        • Opcode ID: d5924854f19c14ea5d9dc50ca25e165ab195d6ffc8d1127aeeaf3282d69c486a
                                                        • Instruction ID: 8931e11ed044a359a4e4d72d93f0384033273d81a8503c01c26f1c9ae2ef1211
                                                        • Opcode Fuzzy Hash: d5924854f19c14ea5d9dc50ca25e165ab195d6ffc8d1127aeeaf3282d69c486a
                                                        • Instruction Fuzzy Hash: 27914AB6604301AFDB009F65C884A5EBBF9FF89350F11895DFA8AD7290D735D841CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703800A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 124memorywindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 282 703800a0-703800b5 283 703800be-703800c8 GetLastError call 7037fdab 282->283 284 703800b7-703800b9 282->284 287 703800cd-703800d1 283->287 285 703801fc-703801fe 284->285 288 703801f0-703801fb SetLastError 287->288 289 703800d7-703800ec 287->289 288->285 290 703800f2-703800f8 289->290 291 703801e6-703801ec 289->291 293 703800fa-70380120 FormatMessageW 290->293 294 70380130-70380132 290->294 292 703801ef 291->292 292->288 296 70380129-7038012e 293->296 297 70380122-70380127 293->297 295 70380135-7038013a 294->295 295->295 298 7038013c-7038015a GetProcessHeap HeapAlloc 295->298 296->294 299 70380185 296->299 297->294 300 7038015c-70380171 call 703691e5 298->300 301 7038017e-70380183 298->301 302 70380187-703801c3 call 703691e5 call 7037d089 299->302 307 7038017a-7038017c 300->307 308 70380173-70380175 300->308 301->302 311 703801d5-703801d9 302->311 312 703801c5-703801cf GetProcessHeap HeapFree 302->312 307->302 308->307 311->292 313 703801db-703801e4 LocalFree 311->313 312->311 313->292
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000), ref: 703800BF
                                                        • FormatMessageW.KERNEL32(00000900,00000000,00000400,00000000,00000000,?,WdsInitializeCallbackArray), ref: 70380118
                                                        • GetProcessHeap.KERNEL32(00000000,?,WdsInitializeCallbackArray), ref: 70380149
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70380150
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,ConstructPartialMsgVW: MALLOC failed,?), ref: 703801C8
                                                        • HeapFree.KERNEL32(00000000), ref: 703801CF
                                                        • LocalFree.KERNEL32(00000000,ConstructPartialMsgVW: MALLOC failed,?), ref: 703801DE
                                                        • SetLastError.KERNEL32(?), ref: 703801F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$ErrorFreeLastProcess$AllocFormatLocalMessage
                                                        • String ID: %*s$ConstructPartialMsgVW: MALLOC failed$Log: Failed To Get Msg From ID$WdsInitializeCallbackArray
                                                        • API String ID: 804065711-2466152657
                                                        • Opcode ID: 432e80f74bafd80c6ce4d6150386357be1823b6f8036ac2bbf058de1d91cddf0
                                                        • Instruction ID: 9b0008607653aa58b35df953e68b3c72324e4355f2933ceb0ff76d1d7f6082e9
                                                        • Opcode Fuzzy Hash: 432e80f74bafd80c6ce4d6150386357be1823b6f8036ac2bbf058de1d91cddf0
                                                        • Instruction Fuzzy Hash: DC41BF7A600205AFD7529FA9CC48BAE77FEAF44310F2145ADE946CB295DB34DA01CB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384E42 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 314 70384e42-70384e5e 315 70385024-70385032 call 70389040 314->315 316 70384e64-70384e7d 314->316 318 70384e9b 316->318 319 70384e7f-70384e99 GetVersion 316->319 320 70384ea0-70384eac 318->320 319->320 322 70384f1a-70384f56 320->322 323 70384eae-70384f01 GetModuleHandleW 320->323 324 70384f60-70384fde memset ExpandEnvironmentStringsW 322->324 323->324 325 70384f03-70384f11 GetProcAddress 323->325 327 70385019 324->327 328 70384fe0-70384ff1 LoadLibraryExW 324->328 325->324 326 70384f13-70384f18 325->326 326->324 331 70385023 327->331 329 70384ff3-70385004 FreeLibrary 328->329 330 70385006-70385017 GetProcAddress 328->330 329->331 330->331 331->315
                                                        APIs
                                                        • GetVersion.KERNEL32(?), ref: 70384E85
                                                        • GetModuleHandleW.KERNEL32(kernel32,?), ref: 70384EF9
                                                        • GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 70384F09
                                                        • memset.MSVCRT ref: 70384FBD
                                                        • ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104,?,?,?), ref: 70384FD6
                                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 70384FE9
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?), ref: 70384FFE
                                                        • GetProcAddress.KERNELBASE(00000000,MiniDumpWriteDump), ref: 7038500C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: AddressLibraryProc$EnvironmentExpandFreeHandleLoadModuleStringsVersionmemset
                                                        • String ID: %windir%\system32\dbghelp.dll$AddVectoredExceptionHandler$MiniDumpWriteDump$kernel32
                                                        • API String ID: 997276966-3676913557
                                                        • Opcode ID: e20c71a0a3a1e067226445bab41ccc2593ff8463ac50f3f376d81d338fb652b9
                                                        • Instruction ID: f8d79e4b6f11af3adfbf5bcacfdca1cd7f76b3c3e7d06be6f0d5714a7abade12
                                                        • Opcode Fuzzy Hash: e20c71a0a3a1e067226445bab41ccc2593ff8463ac50f3f376d81d338fb652b9
                                                        • Instruction Fuzzy Hash: 2A41E4BA5002049EE7009F63ED44B4E7BBCFB45754B3045D9E6039A6E8E7F19000EBB8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D33C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 477 7037d33c-7037d364 call 7038851e 480 7037d366-7037d369 477->480 481 7037d36b-7037d386 AllocateAndInitializeSid 477->481 482 7037d3ab-7037d3b7 call 70389040 480->482 483 7037d3a9 481->483 484 7037d388-7037d39b CheckTokenMembership 481->484 483->482 485 7037d3a0-7037d3a3 FreeSid 484->485 486 7037d39d 484->486 485->483 486->485
                                                        APIs
                                                          • Part of subcall function 7038851E: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 70388559
                                                          • Part of subcall function 7038851E: CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 7038856E
                                                          • Part of subcall function 7038851E: FreeSid.ADVAPI32(?), ref: 70388588
                                                          • Part of subcall function 7038851E: SetLastError.KERNEL32(00000000), ref: 70388599
                                                        • AllocateAndInitializeSid.ADVAPI32(7038B0B8,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7037F248,WdsSetupLogInit,?,7037F248,7038B0B8), ref: 7037D37E
                                                        • CheckTokenMembership.ADVAPI32(00000000,7037F248,?,?,7037F248,7038B0B8), ref: 7037D393
                                                        • FreeSid.ADVAPI32(7037F248,?,7037F248,7038B0B8), ref: 7037D3A3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: AllocateCheckFreeInitializeMembershipToken$ErrorLast
                                                        • String ID: WdsSetupLogInit
                                                        • API String ID: 217881015-3317556560
                                                        • Opcode ID: 0ba90cf5fae819ee61e3c6cf69375a2080062556ef34faebdb50c73efc90743b
                                                        • Instruction ID: 9db74eca0c89f224ff34862b119bf5b67950b0b2b7985bebd9b2ecdecd2b54a3
                                                        • Opcode Fuzzy Hash: 0ba90cf5fae819ee61e3c6cf69375a2080062556ef34faebdb50c73efc90743b
                                                        • Instruction Fuzzy Hash: 20011AB5A00209AFEB00DFA6CDC4AAFBBBCFB48244F60546DA502E6181D734DA058B31
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387A71 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 191memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 242 70387a71-70387ab0 call 703896a4 _wfopen 245 70387c7d-70387c9b call 70387ca6 242->245 246 70387ab6-70387ad9 GetProcessHeap HeapAlloc 242->246 247 70387adb 246->247 247->245 249 70387ae1 247->249 251 70387ae4-70387af4 fgetws 249->251 252 70387afa-70387afc 251->252 253 70387c76 251->253 254 70387aff-70387b08 252->254 253->245 254->254 255 70387b0a-70387b16 254->255 256 70387b88-70387b8d 255->256 257 70387b18-70387b1e 255->257 259 70387b8f-70387b95 256->259 260 70387bc3-70387bc5 256->260 257->256 258 70387b20-70387b43 GetProcessHeap HeapReAlloc 257->258 258->245 262 70387b49-70387b6f fgetws 258->262 259->260 263 70387b97-70387b9a 259->263 261 70387bc6-70387bc8 260->261 261->251 264 70387bce-70387bd6 261->264 262->252 265 70387b71-70387b7d feof 262->265 266 70387b9c-70387ba9 iswctype 263->266 267 70387bc0 263->267 268 70387bd8-70387bda 264->268 269 70387c45-70387c5b swscanf_s 264->269 265->245 270 70387b83 265->270 271 70387bab-70387bb0 266->271 272 70387bb2-70387bbe 266->272 267->260 273 70387beb-70387bed 268->273 274 70387bdc-70387be5 GetProcessHeap HeapFree 268->274 269->245 275 70387c5d-70387c71 call 70387813 269->275 270->252 271->261 272->263 276 70387bfe-70387c37 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 273->276 277 70387bef-70387bf8 GetProcessHeap HeapFree 273->277 274->273 275->247 276->245 279 70387c39-70387c3b 276->279 277->276 279->245 281 70387c3d-70387c42 279->281 281->269
                                                        APIs
                                                        • _wfopen.MSVCRT ref: 70387AA3
                                                        • GetProcessHeap.KERNEL32(00000000,00000200), ref: 70387AC7
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70387ACE
                                                        • fgetws.MSVCRT ref: 70387AE9
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 70387B32
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 70387B39
                                                        • fgetws.MSVCRT ref: 70387B64
                                                        • feof.MSVCRT ref: 70387B74
                                                        • iswctype.MSVCRT(?,00000008), ref: 70387B9F
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 70387BDE
                                                        • HeapFree.KERNEL32(00000000), ref: 70387BE5
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 70387BF1
                                                        • HeapFree.KERNEL32(00000000), ref: 70387BF8
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 70387C0E
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70387C15
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 70387C20
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70387C27
                                                        • swscanf_s.MSVCRT ref: 70387C4F
                                                          • Part of subcall function 70387813: _wcsicmp.MSVCRT ref: 70387843
                                                          • Part of subcall function 70387813: _wcsicmp.MSVCRT ref: 7038788A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free_wcsicmpfgetws$_wfopenfeofiswctypeswscanf_s
                                                        • String ID: %s %[^]
                                                        • API String ID: 1979924226-2460127861
                                                        • Opcode ID: 1c7a83226aa5d3edea6dfa7117952242099b764e3e9577094f32b75c8f99210b
                                                        • Instruction ID: 76f87b41ecce9381b4c7c6154746b4ad6680e39065890a30d57d5eae0f1d009a
                                                        • Opcode Fuzzy Hash: 1c7a83226aa5d3edea6dfa7117952242099b764e3e9577094f32b75c8f99210b
                                                        • Instruction Fuzzy Hash: 556122B5E002059FDB05CFA5CD84AEEBBBEEF58351B20459AE802E7290DB74D941CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037FDAB Relevance: 19.6, APIs: 13, Instructions: 95memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,7036A02F), ref: 7037FDC1
                                                        • EnterCriticalSection.KERNEL32(7038DF18,?,?,?,?,?,?,?,7036A02F), ref: 7037FDD9
                                                        • GetProcessHeap.KERNEL32(00000000,00000004,?,?,?,?,?,?,?,7036A02F), ref: 7037FDED
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,7036A02F), ref: 7037FDF4
                                                        • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,7036A02F), ref: 7037FE38
                                                        • HeapReAlloc.KERNEL32(00000000,00000000,033DBAF0,00000001,?,?,?,?,?,?,?,7036A02F), ref: 7037FE43
                                                        • GetProcessHeap.KERNEL32(00000000,00008014,?,?,?,?,?,?,?,7036A02F), ref: 7037FE6E
                                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,?,?,?,?,7036A02F), ref: 7037FE75
                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,?,7036A02F), ref: 7037FE9C
                                                        • LeaveCriticalSection.KERNEL32(7038DF18,?,?,?,?,?,?,?,7036A02F), ref: 7037FEFF
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocCriticalSectionValue$AllocateEnterLeave
                                                        • String ID:
                                                        • API String ID: 137540307-0
                                                        • Opcode ID: 9d9fefd947f6112ac6de0be7e0499fd99e1959cefafd52bcadf90d089aeb5f3f
                                                        • Instruction ID: cc811c6475b4eba91e4ff2c7c39d5c3506088e379d7d7f896681f9dbc45208b9
                                                        • Opcode Fuzzy Hash: 9d9fefd947f6112ac6de0be7e0499fd99e1959cefafd52bcadf90d089aeb5f3f
                                                        • Instruction Fuzzy Hash: 684118B2600201DFDB109F66DC88B597BB8FB48315F2084A9E643D76E2D7789844EB35
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703846ED Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 30memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 351 703846ed-703846f1 352 703846ff-70384703 351->352 353 703846f3-703846fc FreeSid 351->353 354 70384711-70384715 352->354 355 70384705-7038470e FreeSid 352->355 353->352 356 70384723-70384728 354->356 357 70384717-70384720 FreeSid 354->357 355->354 358 7038472a-70384731 FindCloseChangeNotification 356->358 359 70384734-70384736 356->359 357->356 358->359 360 70384738-70384747 GetProcessHeap HeapFree 359->360 361 7038474a 359->361 360->361
                                                        APIs
                                                        • FreeSid.ADVAPI32(00000000,703846B8,?,00000001,7038B628), ref: 703846F6
                                                        • FreeSid.ADVAPI32(00000000,703846B8,?,00000001), ref: 70384708
                                                        • FreeSid.ADVAPI32(00000000,703846B8,?,00000001), ref: 7038471A
                                                        • FindCloseChangeNotification.KERNELBASE(00000001,703846B8,?,00000001), ref: 7038472B
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,703846B8,?,00000001), ref: 7038473A
                                                        • HeapFree.KERNEL32(00000000,?,00000001), ref: 70384741
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Free$Heap$ChangeCloseFindNotificationProcess
                                                        • String ID: L8p
                                                        • API String ID: 1878378377-356890645
                                                        • Opcode ID: 303ccb5db9882fe2b40122317dcf1ba349c304b3eaa55b788b261c3a9cd2da34
                                                        • Instruction ID: 26b2a70c136177c78e400223c3923c66a65c42bb2e925e9f95f386951f682e2a
                                                        • Opcode Fuzzy Hash: 303ccb5db9882fe2b40122317dcf1ba349c304b3eaa55b788b261c3a9cd2da34
                                                        • Instruction Fuzzy Hash: 5AF074B5C12218EFDB019FA5DC88B9DBB79FF19346F2150A9F412B26A1C7744840DE24
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703851D2 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 362 703851d2-703851e4 363 70385216-7038521f 362->363 364 703851e6-703851ed 362->364 367 70385221-70385247 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 363->367 368 70385253-70385255 363->368 365 703851ef 364->365 366 703851f4-70385208 GetProcessHeap RtlAllocateHeap 364->366 365->366 369 7038520a-7038520c 366->369 370 7038520e-70385214 366->370 371 70385249-7038524e 367->371 372 70385250 367->372 373 70385257-7038525b 368->373 369->373 370->368 371->369 372->368
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,03251ADC,?,03251ADC,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000), ref: 703851F7
                                                        • RtlAllocateHeap.NTDLL(00000000,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000,?,?,70382D90,?,00000004), ref: 703851FE
                                                        • GetProcessHeap.KERNEL32(?,03251ADC,?,03251ADC,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000,?), ref: 70385221
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000,?,?,70382D90), ref: 7038522D
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000,?,?,70382D90,?), ref: 70385236
                                                        • HeapAlloc.KERNEL32(00000000,?,7038527B,?,?,03251AD0,?,7038256F,?,03251AD0,00000000,?,?,70382D90,?,00000004), ref: 7038523D
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocAllocateFree
                                                        • String ID:
                                                        • API String ID: 1927113959-0
                                                        • Opcode ID: 857d504ab0ee4b8b1978c664f925733dd96841dc9ca31717b066b8f3628c8a88
                                                        • Instruction ID: a196b02159a4abbe206c984521a375814e62f0ec1c961b6b7ee6326bc3a1294a
                                                        • Opcode Fuzzy Hash: 857d504ab0ee4b8b1978c664f925733dd96841dc9ca31717b066b8f3628c8a88
                                                        • Instruction Fuzzy Hash: FC111FB2500706EFD7128F96CC48B4AB7FDEB64355B2088AAE556C7590EB70E8448B30
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7038851E Relevance: 9.1, APIs: 6, Instructions: 57memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 70388559
                                                        • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 7038856E
                                                        • GetLastError.KERNEL32 ref: 7038857D
                                                        • FreeSid.ADVAPI32(?), ref: 70388588
                                                        • GetLastError.KERNEL32 ref: 70388590
                                                        • SetLastError.KERNEL32(00000000), ref: 70388599
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
                                                        • String ID:
                                                        • API String ID: 1125035699-0
                                                        • Opcode ID: 7923c725d5d7d498603494325c1f1af228effd4d28ed510be1515b0b9a799054
                                                        • Instruction ID: a40e3243047a8913af9b86d29693fd13fad6676d596d7560b876fcec23ac3004
                                                        • Opcode Fuzzy Hash: 7923c725d5d7d498603494325c1f1af228effd4d28ed510be1515b0b9a799054
                                                        • Instruction Fuzzy Hash: BF1112B5900219AFDB00DFA5DD84ABE77BCFF08254F6004A9E902E6291D7309E058B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036EF40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 383 7036ef40-7036ef76 call 703896a4 EnterCriticalSection 386 7036ef92-7036ef96 383->386 387 7036ef78-7036ef7b 383->387 388 7036f05e-7036f07b call 7036f087 386->388 389 7036ef9c-7036efad 386->389 390 7036ef8e-7036ef90 387->390 391 7036ef7d-7036ef81 387->391 392 7036efaf-7036efc3 call 703691b0 389->392 393 7036efc9-7036efd6 389->393 390->386 390->389 391->390 395 7036ef83-7036ef89 391->395 392->388 392->393 398 7036efdd-7036eff8 393->398 399 7036efd8 393->399 396 7036f058-7036f05b 395->396 396->388 402 7036f00a-7036f017 WdsSetupLogInit 398->402 403 7036effa-7036f008 WdsSetupLogInit 398->403 399->398 404 7036f01a 402->404 403->404 404->388 405 7036f01c-7036f023 404->405 406 7036f035-7036f044 call 7037cc89 405->406 407 7036f025-7036f033 WdsSetupLogInit 405->407 406->388 410 7036f046-7036f04a 406->410 407->388 407->406 410->396 411 7036f04c-7036f050 410->411 411->396 412 7036f052 411->412 412->396
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(7038DF40,7038A680,0000001C), ref: 7036EF66
                                                        • WdsSetupLogInit.WDSCORE(00000000,?,?), ref: 7036F001
                                                        • WdsSetupLogInit.WDSCORE(00000000,?,?), ref: 7036F00C
                                                        • WdsSetupLogInit.WDSCORE(00000000,?,?,00000000,?,?), ref: 7036F02C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: InitSetup$CriticalEnterSection
                                                        • String ID: C:\$Windows.~WS\Sources\Panther
                                                        • API String ID: 2133636007-713195763
                                                        • Opcode ID: 67d83d187736425d8c7ba48831523a7c4ae529d0937e650f16b1f2c482147bab
                                                        • Instruction ID: d863443679dddc17d46194e421578b511a7c5fa8d25c44d2eeb7862d4b59d987
                                                        • Opcode Fuzzy Hash: 67d83d187736425d8c7ba48831523a7c4ae529d0937e650f16b1f2c482147bab
                                                        • Instruction Fuzzy Hash: 4831C1B1A1025A8FDB05CFA5C9407EE77F9AF48224F21811EEC12D6289D7B98841CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70386270 Relevance: 7.6, APIs: 5, Instructions: 99memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 413 70386270-70386282 414 703862e0 413->414 415 70386284-70386288 413->415 416 703862e2-703862e6 414->416 415->414 417 7038628a-7038628d 415->417 418 7038628f-70386298 417->418 418->418 419 7038629a-7038629e 418->419 419->414 420 703862a0-703862a8 419->420 421 703862aa-703862b5 GetProcessHeap HeapFree 420->421 422 703862bb-703862d6 GetProcessHeap HeapAlloc 420->422 421->422 423 703862d8-703862db call 70385368 422->423 424 703862e9-70386300 call 703691b0 422->424 423->414 424->414 428 70386302-70386328 call 703852b4 424->428 428->414 431 7038632a-7038632f call 70385391 428->431 433 70386334-70386336 431->433 433->414 434 70386338-7038633a 433->434 435 7038633c-7038634a GetFileSizeEx 434->435 436 70386357-70386369 434->436 435->436 437 7038634c-70386352 435->437 436->416 437->436 438 70386354-70386356 437->438 438->436
                                                        APIs
                                                        • GetProcessHeap.KERNEL32 ref: 703862AA
                                                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 703862B5
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 703862C4
                                                        • HeapAlloc.KERNEL32(00000000), ref: 703862CB
                                                        • GetFileSizeEx.KERNEL32(?,?), ref: 70386342
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFileFreeSize
                                                        • String ID:
                                                        • API String ID: 2012773705-0
                                                        • Opcode ID: 770d7fc2d78c9c3dfefd45acba41ecc433d154bb4572111d1b0e57cd59db2dfd
                                                        • Instruction ID: 3b6c4b542e615d11e8257ab699f443d75aba5fc3585eafbc5140755faf691c8d
                                                        • Opcode Fuzzy Hash: 770d7fc2d78c9c3dfefd45acba41ecc433d154bb4572111d1b0e57cd59db2dfd
                                                        • Instruction Fuzzy Hash: 1431B076600101DFDB01DF65C9459AEB7B9FF48340B1585E9E806CB295EB30ED11CBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70380C1A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 439 70380c1a-70380c2f call 703896a4 442 70380db4 439->442 443 70380c35-70380c39 439->443 445 70380db6-70380dc5 442->445 443->442 444 70380c3f-70380c43 443->444 444->442 446 70380c49-70380c72 call 703850be call 70384cd0 444->446 446->442 451 70380c78-70380c8c call 70380b42 446->451 454 70380d7f-70380d8d call 70380d95 451->454 455 70380c92-70380ca2 call 70380dce 451->455 454->445 455->454 460 70380ca8-70380cae 455->460 460->454 461 70380cb4-70380cd1 GetProcessHeap RtlAllocateHeap 460->461 461->454 462 70380cd7-70380cf1 memset 461->462 463 70380cf4-70380cf6 462->463 464 70380cf8-70380d4e call 7036924c 463->464 465 70380d69-70380d6b 463->465 472 70380d50-70380d51 464->472 473 70380d54-70380d58 464->473 466 70380d79-70380d7c 465->466 467 70380d6d-70380d77 call 7038082a 465->467 466->454 467->454 467->466 472->473 474 70380d5a 473->474 475 70380d5d-70380d67 473->475 474->475 475->463
                                                        APIs
                                                          • Part of subcall function 70380B42: __EH_prolog3.LIBCMT ref: 70380B49
                                                          • Part of subcall function 70380B42: memset.MSVCRT ref: 70380BD3
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 70380CBF
                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 70380CC6
                                                        • memset.MSVCRT ref: 70380CE2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heapmemset$AllocateH_prolog3Process
                                                        • String ID: xxx
                                                        • API String ID: 666435912-479980042
                                                        • Opcode ID: bca9af54b93168545fbcfa65d11ac02a138a20ef484570d4026c34998807ecee
                                                        • Instruction ID: 797a9aa41adb013cb96727f20c253f7bbe3c551cb3d420105cdfe63f1dd13284
                                                        • Opcode Fuzzy Hash: bca9af54b93168545fbcfa65d11ac02a138a20ef484570d4026c34998807ecee
                                                        • Instruction Fuzzy Hash: 3A413371A002059FDF55CFA5C94069EB7F9EF88310F1181AEE816DB2D6D734E905CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70380B42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3memset
                                                        • String ID: Section
                                                        • API String ID: 747782440-3805168499
                                                        • Opcode ID: 68b36c852883a837f4e8bca826f60d70da3b9797de7f7182e70c45f7897ff54b
                                                        • Instruction ID: 1bd5cf3b8d8e04e551a6172e1598b5b37e666e42b933ef21207b4d5aa54a52bb
                                                        • Opcode Fuzzy Hash: 68b36c852883a837f4e8bca826f60d70da3b9797de7f7182e70c45f7897ff54b
                                                        • Instruction Fuzzy Hash: 5221A4B19102169FDB08CF58C841AAEB7B9FF44700F15865EF4069F280DBB0E945CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70385391 Relevance: 3.8, APIs: 3, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000002), ref: 703853B7
                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000002), ref: 703853DD
                                                        • SetLastError.KERNEL32(00000001,?,?,?,00000000,00000000,00000002), ref: 703853EA
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: 4f73a4865a2d8f5484d7df22219e76fae96d254c70c9c1165c024cb28a855fc8
                                                        • Instruction ID: e97eb5f3ce549c45467d2931afe817abadac25dd238281a4af9c97987424f14a
                                                        • Opcode Fuzzy Hash: 4f73a4865a2d8f5484d7df22219e76fae96d254c70c9c1165c024cb28a855fc8
                                                        • Instruction Fuzzy Hash: 2AF0F07B600111AFD70117268C08F0E3BADFB887A0F3100A2F203DA1E1CBE09C049BB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384D40 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70384474: InitializeSecurityDescriptor.ADVAPI32(?,00000001,7038B628,00000038,70384CE4), ref: 703844B2
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,8L8p,?,00000001,7038B628,00000038,70384CE4), ref: 703844D7
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 703844F8
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,L8p,?,00000001,7038B628,00000038,70384CE4), ref: 70384519
                                                          • Part of subcall function 70384474: GetCurrentThread.KERNEL32 ref: 7038452F
                                                          • Part of subcall function 70384474: OpenThreadToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384536
                                                          • Part of subcall function 70384474: GetLastError.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 70384540
                                                          • Part of subcall function 70384474: GetCurrentProcess.KERNEL32(00000008,00000001,?,00000001,7038B628,00000038,70384CE4), ref: 70384557
                                                          • Part of subcall function 70384474: OpenProcessToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 7038455E
                                                        • CreateFileMappingW.KERNELBASE(000000FF,00000000,08000004,00000000,?,?), ref: 70384D7E
                                                        • GetLastError.KERNEL32 ref: 70384D9C
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Initialize$Allocate$CurrentErrorLastOpenProcessThreadToken$CreateDescriptorFileMappingSecurity
                                                        • String ID:
                                                        • API String ID: 2809032385-0
                                                        • Opcode ID: a6a87c8abd16bf4363f927aaf964f8008b332759b9a8ae56fdce90047d9eed0d
                                                        • Instruction ID: 445af94893a027f1972ec17ec1d3e884bd8945499f52682269e58257ad40c015
                                                        • Opcode Fuzzy Hash: a6a87c8abd16bf4363f927aaf964f8008b332759b9a8ae56fdce90047d9eed0d
                                                        • Instruction Fuzzy Hash: 0B018837A00218AFDB119FA98844B9E7BB9EB54661F214168A915E71C0D674990587B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384CD0 Relevance: 3.0, APIs: 2, Instructions: 36synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70384474: InitializeSecurityDescriptor.ADVAPI32(?,00000001,7038B628,00000038,70384CE4), ref: 703844B2
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,8L8p,?,00000001,7038B628,00000038,70384CE4), ref: 703844D7
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 703844F8
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,L8p,?,00000001,7038B628,00000038,70384CE4), ref: 70384519
                                                          • Part of subcall function 70384474: GetCurrentThread.KERNEL32 ref: 7038452F
                                                          • Part of subcall function 70384474: OpenThreadToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384536
                                                          • Part of subcall function 70384474: GetLastError.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 70384540
                                                          • Part of subcall function 70384474: GetCurrentProcess.KERNEL32(00000008,00000001,?,00000001,7038B628,00000038,70384CE4), ref: 70384557
                                                          • Part of subcall function 70384474: OpenProcessToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 7038455E
                                                        • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 70384D03
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 70384D18
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Initialize$Allocate$CurrentOpenProcessThreadToken$CreateDescriptorErrorLastMutexObjectSecuritySingleWait
                                                        • String ID:
                                                        • API String ID: 3485390411-0
                                                        • Opcode ID: 5a287f5795818271fb7e2338020104c8f5591d4ac106105924d674fa08ff97c4
                                                        • Instruction ID: fafa7f93d862bfa2972d0594160ac935a447841105b9c7ca804341256ac12a4a
                                                        • Opcode Fuzzy Hash: 5a287f5795818271fb7e2338020104c8f5591d4ac106105924d674fa08ff97c4
                                                        • Instruction Fuzzy Hash: 2EF0FC32D00128AFDB019B558C04BDDB778EF44720F214145EC12672C0D7789A05CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384810 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(?,?,?,?), ref: 70384832
                                                        • GetLastError.KERNEL32 ref: 70384840
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastPointer
                                                        • String ID:
                                                        • API String ID: 2976181284-0
                                                        • Opcode ID: e93112737cfc700661dca0d4f510209b0fa9cfa569be628671398cac69ce55cb
                                                        • Instruction ID: e35db61230a3d77ac6dd99bd4d7f4eb8b1c4ee3f569ef434b7df9382ec53a704
                                                        • Opcode Fuzzy Hash: e93112737cfc700661dca0d4f510209b0fa9cfa569be628671398cac69ce55cb
                                                        • Instruction Fuzzy Hash: 04F015B6910128BF9B04CFA5EC498AE7BA9EB45360B208255FC16D3280E6719E40DAA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703847B0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?), ref: 703847B8
                                                        • DebugBreak.KERNEL32 ref: 703847C2
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: BreakChangeCloseDebugFindNotification
                                                        • String ID:
                                                        • API String ID: 1008326382-0
                                                        • Opcode ID: 1d80f5f35be8db0f4e8035f92b72d586c9cfd60d473969c6895fb7eceeedebf6
                                                        • Instruction ID: fc637a040d28bc215b08d22bfc81ff4c1504d9fe81cca4022f0e20fdd2d8cc04
                                                        • Opcode Fuzzy Hash: 1d80f5f35be8db0f4e8035f92b72d586c9cfd60d473969c6895fb7eceeedebf6
                                                        • Instruction Fuzzy Hash: BDC08C33000108AF93002B53DC0CA0A3E6EFBA1A513228060F41581060DB3188108571
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70381380 Relevance: 2.7, APIs: 2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 68f2249b544a43d4d2bfb84e5ff530d7e92a48bac7e5f6374c123c8e4b89cb7a
                                                        • Instruction ID: 007cb333967c82fc3b9740f255605f0ec164f67e2d08cf4667a7287ae2bbc65a
                                                        • Opcode Fuzzy Hash: 68f2249b544a43d4d2bfb84e5ff530d7e92a48bac7e5f6374c123c8e4b89cb7a
                                                        • Instruction Fuzzy Hash: EC911A7AE00619DFCF05CF65C9949ADBBB9FF89710B154099E802A73A0CB74AD41CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384DC0 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,C0000000,?,00000000,?,?,00000000), ref: 70384E08
                                                          • Part of subcall function 70384474: InitializeSecurityDescriptor.ADVAPI32(?,00000001,7038B628,00000038,70384CE4), ref: 703844B2
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,8L8p,?,00000001,7038B628,00000038,70384CE4), ref: 703844D7
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7038B628,?,00000001,7038B628,00000038,70384CE4), ref: 703844F8
                                                          • Part of subcall function 70384474: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000013,00000000,00000000,00000000,00000000,00000000,00000000,00000000,L8p,?,00000001,7038B628,00000038,70384CE4), ref: 70384519
                                                          • Part of subcall function 70384474: GetCurrentThread.KERNEL32 ref: 7038452F
                                                          • Part of subcall function 70384474: OpenThreadToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 70384536
                                                          • Part of subcall function 70384474: GetLastError.KERNEL32(?,00000001,7038B628,00000038,70384CE4), ref: 70384540
                                                          • Part of subcall function 70384474: GetCurrentProcess.KERNEL32(00000008,00000001,?,00000001,7038B628,00000038,70384CE4), ref: 70384557
                                                          • Part of subcall function 70384474: OpenProcessToken.ADVAPI32(00000000,?,00000001,7038B628,00000038,70384CE4), ref: 7038455E
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Initialize$Allocate$CurrentOpenProcessThreadToken$CreateDescriptorErrorFileLastSecurity
                                                        • String ID:
                                                        • API String ID: 720879468-0
                                                        • Opcode ID: cb207deb4c88d438f5998a5649285eee99a6e84ee602faae0298b641081b98af
                                                        • Instruction ID: db2a358cb7b845819ffc5557c5f7084d5bffe0c9671d9cb52882a3828b6c5bd3
                                                        • Opcode Fuzzy Hash: cb207deb4c88d438f5998a5649285eee99a6e84ee602faae0298b641081b98af
                                                        • Instruction Fuzzy Hash: 2CF04932900228AFEF118F96CC04BDEBB79EB94650F114055FE15B72A1D7709A16CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F08B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogDestroy.WDSCORE ref: 7037F09E
                                                          • Part of subcall function 7037F230: GetLastError.KERNEL32 ref: 7037F26D
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: DestroyErrorLastSetup
                                                        • String ID:
                                                        • API String ID: 1623102149-0
                                                        • Opcode ID: 3e5ba7d0b478476bbffe79f5ac81ee1d4019e27a941bf6a4aa478d0505036b6a
                                                        • Instruction ID: 0520c84962d3b791979b78da9098bd5e51cb70bff0e6ad40a4824b7460712aba
                                                        • Opcode Fuzzy Hash: 3e5ba7d0b478476bbffe79f5ac81ee1d4019e27a941bf6a4aa478d0505036b6a
                                                        • Instruction Fuzzy Hash: AAE08C769101258FCB106B238C4431D7B79BF98618F2140EAE406632A1CB752C02EFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703847E0 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 703847F2
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: FileView
                                                        • String ID:
                                                        • API String ID: 3314676101-0
                                                        • Opcode ID: 3625790ae46c08a5839da26e485ce44d96658ecf51ecbf71516211efae4468b5
                                                        • Instruction ID: 7f235295dd87f7042bdb9858b8b442cefd8037d4ca5fe6473311c544c77bdcd1
                                                        • Opcode Fuzzy Hash: 3625790ae46c08a5839da26e485ce44d96658ecf51ecbf71516211efae4468b5
                                                        • Instruction Fuzzy Hash: 45C092B224024CBFE7102A62DC0DE77BB6DDBA4750B108421BF08C5463DA719C21B5B4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70384860 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 70384873
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: f430a98f7a8851a53e7bf0d3344570d0ffb63650d73ea070bd2e6cfc47bd6a84
                                                        • Instruction ID: fb1e38d36f200e245108368077032419c9b85cf2509cd495d8cf01af6e5cbae6
                                                        • Opcode Fuzzy Hash: f430a98f7a8851a53e7bf0d3344570d0ffb63650d73ea070bd2e6cfc47bd6a84
                                                        • Instruction Fuzzy Hash: F5C0023704024DBFCF125F82DD05F9A3F2AEB98760F148411FA19190A187729931EB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703692A2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ConstructPartial
                                                        • String ID:
                                                        • API String ID: 2575519416-0
                                                        • Opcode ID: 45af8561f4c90f67ff2bb6ed6c4432613e7431a3da425b1c47fe975eaca2d5a2
                                                        • Instruction ID: 02e4aaf7f57d6b6cd188182224ab341e67eeb343f49560185b6f0923acc4950c
                                                        • Opcode Fuzzy Hash: 45af8561f4c90f67ff2bb6ed6c4432613e7431a3da425b1c47fe975eaca2d5a2
                                                        • Instruction Fuzzy Hash: B5C09B7300014C7FCF115E81DC01DAE7B5DEBC4310F544051BD1C8D010D631EA659754
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703852B4 Relevance: 1.3, APIs: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast
                                                        • String ID:
                                                        • API String ID: 1452528299-0
                                                        • Opcode ID: a690e934b8e739306c38c3bc1e196c2597210771757fdd18ed885a499aeee2b9
                                                        • Instruction ID: af6ce09ab641ab16c0a5ecee32c09964caa332c898d10d5b491b4d9f3c179f68
                                                        • Opcode Fuzzy Hash: a690e934b8e739306c38c3bc1e196c2597210771757fdd18ed885a499aeee2b9
                                                        • Instruction Fuzzy Hash: 10119D76240214AFDB015F3ADC09B5E7BADEB94760F21069AF916DB2E0DBF09C40DB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 70370B70 Relevance: 49.4, APIs: 16, Strings: 12, Instructions: 368windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70370331: memset.MSVCRT ref: 70370359
                                                        • memset.MSVCRT ref: 70370BE0
                                                        • memset.MSVCRT ref: 70370BEF
                                                          • Part of subcall function 703691E5: _vsnwprintf.MSVCRT ref: 7036920C
                                                        • GetLastError.KERNEL32 ref: 70370C18
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32 ref: 70370C67
                                                        • memset.MSVCRT ref: 70370D60
                                                        • GetLastError.KERNEL32(00000208), ref: 70370D78
                                                        • GetLastError.KERNEL32 ref: 70370EE7
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000006EB,onecore\base\ntsetup\panther\engine\engine.cpp,WdsExecuteWorkQueue2,?,00000000,00000000,00000000), ref: 7037102A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastmemset$ConstructMessagePartialSetup_vsnwprintf
                                                        • String ID: %s%s$C:\$Windows.~WS\Sources\Panther$Could not load SEQ state from '%s'$Could not locate saved '%s' in working directory$Failed to add all setup modules$Failed to initialize setup groups$Failed to initialize setup modules$Online$WdsExecuteWorkQueue2$WdsExecuteWorkQueue2 with WDS_START_EMPTY_QUEUE given 0 modules or 0 groups$onecore\base\ntsetup\panther\engine\engine.cpp$stringcchprintf failed for '%s'
                                                        • API String ID: 1075560621-1557913193
                                                        • Opcode ID: c292c8eb15e725013d26347deb1a9f7ebe30ff0bc52afaece7b0efd9984452c8
                                                        • Instruction ID: cbf3c97b1f1c42a4e9abddf305fd47387b1fcaf8aac3a7c5c06983db67abe00e
                                                        • Opcode Fuzzy Hash: c292c8eb15e725013d26347deb1a9f7ebe30ff0bc52afaece7b0efd9984452c8
                                                        • Instruction Fuzzy Hash: B6C12A72A00215BFE7119B62DC86E9F376DDF44210F218299FD46AF188DBB4BD41DBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703706E0 Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 325windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70370331: memset.MSVCRT ref: 70370359
                                                          • Part of subcall function 7036F945: memset.MSVCRT ref: 7036F96D
                                                          • Part of subcall function 7036F945: memset.MSVCRT ref: 7036F97B
                                                          • Part of subcall function 7036F945: GetLastError.KERNEL32 ref: 7036F98C
                                                          • Part of subcall function 7036F945: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000002D8,onecore\base\ntsetup\panther\engine\engine.cpp,pCreateCleanTempDir,?,00000000,00000000,00000000), ref: 7036F9C7
                                                        • GetLastError.KERNEL32 ref: 70370838
                                                        • GetLastError.KERNEL32 ref: 7037088F
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000005B6,onecore\base\ntsetup\panther\engine\engine.cpp,WdsExecuteWorkQueue,?,00000000,00000000,00000000), ref: 7037077B
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 7036FF7D: EnterCriticalSection.KERNEL32(7038DF40,7038A7C0,00000014,703708EC,00000208), ref: 7036FF9D
                                                          • Part of subcall function 7036FF7D: GetLastError.KERNEL32 ref: 7036FFAD
                                                          • Part of subcall function 7036FF7D: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000460,onecore\base\ntsetup\panther\engine\engine.cpp,pLookupContentsFileEntry,?,00000000,00000000,00000000), ref: 7036FFEA
                                                        • GetLastError.KERNEL32 ref: 7037073C
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • memset.MSVCRT ref: 703707B1
                                                        • memset.MSVCRT ref: 703707C0
                                                        • GetLastError.KERNEL32 ref: 703707E9
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000005C1,onecore\base\ntsetup\panther\engine\engine.cpp,WdsExecuteWorkQueue,?,00000000,00000000,00000000), ref: 70370B1F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$memset$MessageSetup$Heap$AllocConstructCriticalEnterPartialProcessSection
                                                        • String ID: %s%s$C:\$Windows.~WS\Sources\Panther$Could not load SEQ state from '%s'$Could not locate saved '%s' in working directory$Couldn't create clean panther temp dir$Failed to initialize setup groups$Failed to initialize setup modules$Online$WdsExecuteWorkQueue$WdsExecuteWorkQueue with WDS_START_EMPTY_QUEUE given 0 modules or 0 groups$onecore\base\ntsetup\panther\engine\engine.cpp$stringcchprintf failed for '%s'
                                                        • API String ID: 2852933034-1787385543
                                                        • Opcode ID: f66bc606663596a29e87cc9df9512b945414448a7647bc7555056a34e8d0f7d3
                                                        • Instruction ID: 18d6f4e4f534057ea94a9262c5868fd1c5dd9b5d3e0ef3f3df92dfb75db44c27
                                                        • Opcode Fuzzy Hash: f66bc606663596a29e87cc9df9512b945414448a7647bc7555056a34e8d0f7d3
                                                        • Instruction Fuzzy Hash: 21B1C776A00215FFE7159B51CC8AF9F37ADEB44310F208259F945AF288E7B4BD118BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037E290 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 207COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70384E42: GetVersion.KERNEL32(?), ref: 70384E85
                                                          • Part of subcall function 70384E42: GetModuleHandleW.KERNEL32(kernel32,?), ref: 70384EF9
                                                          • Part of subcall function 70384E42: GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 70384F09
                                                          • Part of subcall function 70384E42: memset.MSVCRT ref: 70384FBD
                                                          • Part of subcall function 70384E42: ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104,?,?,?), ref: 70384FD6
                                                          • Part of subcall function 70384E42: LoadLibraryExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 70384FE9
                                                          • Part of subcall function 70384E42: FreeLibrary.KERNEL32(00000000,?,?,?), ref: 70384FFE
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,7038B078,00000078), ref: 7037E31E
                                                        • SetUnhandledExceptionFilter.KERNEL32(7037DA00), ref: 7037E4BB
                                                        • GetCurrentProcessId.KERNEL32 ref: 7037E4D2
                                                        • WdsLogRegStockProviders.WDSCORE(?,?,?,?,?,?,7038B078,00000078), ref: 7037E532
                                                        • WdsLogCreate.WDSCORE(|Y6p,70365DC0,00000011,?,?,?,?,?,?,7038B078,00000078), ref: 7037E541
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Library$AddressCreateCurrentEnvironmentErrorExceptionExpandFilterFreeHandleLastLoadModuleProcProcessProvidersStockStringsUnhandledVersionmemset
                                                        • String ID: C:\$Windows.~WS\Sources\SetupHost.Exe$C:\$Windows.~WS\Sources\SetupHost.Exe$Con$Err$Fil$Fun$Global\SetupLog$Global\WdsSetupLogInit$Msg$SetupLog$Sev$Uid$WdsSetupLogInit$|Y6p$Y6p
                                                        • API String ID: 2823161042-4229775185
                                                        • Opcode ID: 2b479958f2d8c8ed89fbcc62d961cdfef7fcc786672886aa0e4cf9cce847f16e
                                                        • Instruction ID: 7ec59b89990079f5ca8a156211e68c150a9ed7d09aa369b05f8af7d43486640c
                                                        • Opcode Fuzzy Hash: 2b479958f2d8c8ed89fbcc62d961cdfef7fcc786672886aa0e4cf9cce847f16e
                                                        • Instruction Fuzzy Hash: D4814FB5D00218DFDB01DFA6C98479DBBF8BF48324F20816AE946EB294D7B49901DF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036EA08 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 105filewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703691E5: _vsnwprintf.MSVCRT ref: 7036920C
                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036EA8D
                                                        • wcsncmp.MSVCRT(Contents,?,00000008,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036EABA
                                                        • _wtoi.MSVCRT ref: 7036EACE
                                                        • _wtoi.MSVCRT ref: 7036EAE0
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036EAF7
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036EB0A
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036EB22
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000021B,onecore\base\ntsetup\panther\engine\objectfile.c,pGetHighestNumberedFile,?,00000000,?,?,?,?,?,?,00000001), ref: 7036EB5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileFindLast_wtoi$FirstMessageNextSetup_vsnwprintfwcsncmp
                                                        • String ID: %s*.%s$Contents$dir$onecore\base\ntsetup\panther\engine\objectfile.c$pGetHighestNumberedFile$pGetNewFileName couldn't find next file!
                                                        • API String ID: 2760992724-3162674472
                                                        • Opcode ID: f59612e8d2b85cd77524b12af468a3a7533b489cf8b7f4dc16499b9d1fc728c0
                                                        • Instruction ID: 76be11d7000cb798b54fddb500dae434bac8d589e9517dbf9548e99b7435194e
                                                        • Opcode Fuzzy Hash: f59612e8d2b85cd77524b12af468a3a7533b489cf8b7f4dc16499b9d1fc728c0
                                                        • Instruction Fuzzy Hash: 9D3193B2901214AFDB10DFA5CC45BCEB7BDAB84214F1143DAF90AE7185EB319E588F60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F0D2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 97memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(7037DA00,70384CD0,WdsSetupLogInit,?,?,7037F29D), ref: 7037F108
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00000000,?,?,7037F29D), ref: 7037F119
                                                        • TlsFree.KERNEL32(?,?,7037F29D), ref: 7037F12C
                                                        • TlsGetValue.KERNEL32(?,?,7037F29D), ref: 7037F13F
                                                        • TlsFree.KERNEL32(?,?,7037F29D), ref: 7037F17C
                                                        • EnterCriticalSection.KERNEL32(7038DF18,?,?,7037F29D), ref: 7037F18E
                                                        • GetProcessHeap.KERNEL32(?,?,7037F29D), ref: 7037F1B3
                                                        • HeapFree.KERNEL32(00000000,00000000,7037F29D,?,?,7037F29D), ref: 7037F1BF
                                                        • GetProcessHeap.KERNEL32(?,?,7037F29D), ref: 7037F1D5
                                                        • HeapFree.KERNEL32(00000000,00000000,033DBAF0,?,?,7037F29D), ref: 7037F1E0
                                                        • LeaveCriticalSection.KERNEL32(7038DF18,?,?,7037F29D), ref: 7037F1FD
                                                        • WdsLogDestroy.WDSCORE(03251AF0,?,7037F29D), ref: 7037F209
                                                        • WdsLogUnRegStockProviders.WDSCORE(?,7037F29D), ref: 7037F214
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: FreeHeap$CriticalExceptionFilterProcessSectionUnhandled$DestroyEnterLeaveProvidersStockValue
                                                        • String ID: WdsSetupLogInit
                                                        • API String ID: 2176533916-3317556560
                                                        • Opcode ID: 48a41b68adc64cd24d53f40b689b9d346f1556ae14dc1c4a09a1739a061f097b
                                                        • Instruction ID: cd75dcaac67c021c57003a378c82e497ee809491f509598be76e4b1c654be296
                                                        • Opcode Fuzzy Hash: 48a41b68adc64cd24d53f40b689b9d346f1556ae14dc1c4a09a1739a061f097b
                                                        • Instruction Fuzzy Hash: E431697B1002559FC7019B66DC88B5D7BBCBB48760B314588E513D72E0CB38D802EBB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70386560 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 70386572
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: DebuggerPresent
                                                        • String ID: %S(%d) : $%S(%d) : %S$%s%-20S%S$%s%-S(%S)%S$%s%S
                                                        • API String ID: 1347740429-1649778738
                                                        • Opcode ID: caf1c8ff3876e71a4cdb6f7cf7e39cb0db76cc9dd9fac8124aeefe9f0fd8141a
                                                        • Instruction ID: 163354ac184fb9832969ec0d72814c388f6bd2dd7f7db51cea21cc2d4199f829
                                                        • Opcode Fuzzy Hash: caf1c8ff3876e71a4cdb6f7cf7e39cb0db76cc9dd9fac8124aeefe9f0fd8141a
                                                        • Instruction Fuzzy Hash: 46716E79B002159FCB04DF55C994AAE7BB9AF98214F1141EDF806AB395DB30ED02CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70374EE0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 70374EF9
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000068D,onecore\base\ntsetup\panther\engine\bb.cpp,CMemoryManager::InitializeSharedControlBlock,00000000,00000000,00000000,00000000), ref: 7037516F
                                                        Strings
                                                        • CMemoryManager::InitializeSharedControlBlock, xrefs: 70375154
                                                        • CMemoryManager::InitializeSharedControlBlock: m_pFileMapping->MapViewOfFile failed., xrefs: 70375139
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70375159
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetupmemset
                                                        • String ID: CMemoryManager::InitializeSharedControlBlock$CMemoryManager::InitializeSharedControlBlock: m_pFileMapping->MapViewOfFile failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 3707652997-563137803
                                                        • Opcode ID: 6aa97158a9bddc69a779c970e847a4da26ee97ac8d227c7a290d81886caa34f1
                                                        • Instruction ID: 878ce82853b69848bc6061b95c828c493e15dba1ec8a39f4a9b58922f86d0f35
                                                        • Opcode Fuzzy Hash: 6aa97158a9bddc69a779c970e847a4da26ee97ac8d227c7a290d81886caa34f1
                                                        • Instruction Fuzzy Hash: 97915176E106199FDB08CF59C891BADB7F6FB88310F29816DE416E7384D778A901CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703888F1 Relevance: 6.1, APIs: 4, Instructions: 77memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,?,7038B7A8,00000020,70388A37), ref: 70388938
                                                        • HeapAlloc.KERNEL32(00000000,?,7038B7A8,00000020,70388A37), ref: 7038893F
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 5c56abdce633de2897126fedd764eb587bd6f2f43c9106280e261f8ebd6f90ef
                                                        • Instruction ID: 966768c57ebd2f8a60ded6df7293a3092705938db75889a39520b47764e6f3fe
                                                        • Opcode Fuzzy Hash: 5c56abdce633de2897126fedd764eb587bd6f2f43c9106280e261f8ebd6f90ef
                                                        • Instruction Fuzzy Hash: E8213DB6D0021AEFDB01CF9989456AEBBB9EF48310F2441AEE815B7280D7759901DFB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70389056 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,70389192,70361000), ref: 7038905D
                                                        • UnhandledExceptionFilter.KERNEL32(70389192,?,70389192,70361000), ref: 70389066
                                                        • GetCurrentProcess.KERNEL32(C0000409,?,70389192,70361000), ref: 70389071
                                                        • TerminateProcess.KERNEL32(00000000,?,70389192,70361000), ref: 70389078
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                        • String ID:
                                                        • API String ID: 3231755760-0
                                                        • Opcode ID: 64e9eb57c3c4aa1432941aff69450222c24b040b40331526ddd6a9fa5bce5523
                                                        • Instruction ID: 2c875417da522722dc5d086c3ebdba3090b6befacb039d5a6df36be638fb8dda
                                                        • Opcode Fuzzy Hash: 64e9eb57c3c4aa1432941aff69450222c24b040b40331526ddd6a9fa5bce5523
                                                        • Instruction Fuzzy Hash: B0D0EA77044208EFDB002BF3DC0DB497E2DEBA9666F258490F70AC64A1DA75D9118B76
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70382E73 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadResource.KERNEL32(00000000,00000000,00000002,00000000,?,?,70383872,?,?,70388130,7036A5E0,?,?,703837E5,?), ref: 70382E81
                                                        • LockResource.KERNEL32(00000000,?,?,70383872,?,?,70388130,7036A5E0,?,?,703837E5,?,?,0000001C,7036ED07,00000000), ref: 70382E8C
                                                        • SizeofResource.KERNEL32(00000000,00000000,?,?,70383872,?,?,70388130,7036A5E0,?,?,703837E5,?,?,0000001C,7036ED07), ref: 70382E9A
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Resource$LoadLockSizeof
                                                        • String ID:
                                                        • API String ID: 2853612939-0
                                                        • Opcode ID: 9c90bb7ad860077e730cbda8059e6fc0ad785cb04e2b233960da4454c5df2b37
                                                        • Instruction ID: 42c897c63caaf871d5561046405d76b2bba9713e880a64b9df54a9bed8985f80
                                                        • Opcode Fuzzy Hash: 9c90bb7ad860077e730cbda8059e6fc0ad785cb04e2b233960da4454c5df2b37
                                                        • Instruction Fuzzy Hash: 2AF0F6775211365BC7325BA6CC48D6FBBACDAD07163121DAAFC53D3194DA74EC0181B8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F35C Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,02000000,?,?,?,?,?,?,?,?,7037FA52), ref: 7037F381
                                                        • SystemTimeToVariantTime.OLEAUT32(?,?), ref: 7037F38F
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Time$LocalSystemVariant
                                                        • String ID:
                                                        • API String ID: 2941933870-0
                                                        • Opcode ID: 8e9418ed44f9d3fa21b737100b3b761e18074b64e825f485092ef3ed2c1806ff
                                                        • Instruction ID: c390bf7651fbd3cb6c0b647f2921eee83136d29b72305d7d5ad313c0bb40708d
                                                        • Opcode Fuzzy Hash: 8e9418ed44f9d3fa21b737100b3b761e18074b64e825f485092ef3ed2c1806ff
                                                        • Instruction Fuzzy Hash: 55F0307690050DAEDF00DBA9D9859EEB7FDFB4C2047200465D501F7150DA34EA098762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703616DC Relevance: .4, Instructions: 412COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02479cd6c20967c4fb59681522b261df801151bd04dd4ac5013290deeb339201
                                                        • Instruction ID: 31acf7d3856c5c24794cd20910f5af405071bb9415cdbd73dc1b64352d64419b
                                                        • Opcode Fuzzy Hash: 02479cd6c20967c4fb59681522b261df801151bd04dd4ac5013290deeb339201
                                                        • Instruction Fuzzy Hash: 4E024EB648E3C24FD3434B7488656903FB19F17224B5E05EBC0D4CF4A3E29E599ADB22
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70372AE0 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25d522c3e8be586e415baa5c963a2ca0a38e0a3dd3961555091f6f193ec85136
                                                        • Instruction ID: 67f4951957a9ea22224442c5900bc181c5d9b31a625f1bc01a2403fc41d0a347
                                                        • Opcode Fuzzy Hash: 25d522c3e8be586e415baa5c963a2ca0a38e0a3dd3961555091f6f193ec85136
                                                        • Instruction Fuzzy Hash: 0CA0023314864CDB42501787980DA32779DD1D1672F7500E1D514025515976A852C6E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70372C80 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4658b20e438dc180babc57b3c6d6dfffd426e1c10ef2d9aa69f93e826fcf1a3e
                                                        • Instruction ID: b3918da98df4161fcaf44ae461f3fc638fb56bef1e0ee197ba90cca98e3986c9
                                                        • Opcode Fuzzy Hash: 4658b20e438dc180babc57b3c6d6dfffd426e1c10ef2d9aa69f93e826fcf1a3e
                                                        • Instruction Fuzzy Hash: 7DA0223300820CCB02000283880CA32338CE0C0322B2000E0C000023000832A820C0E0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70372580 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5939388f8c1f466a48ea9b731bfbfe542e01c99de1426122d4f1e9336c2c88c1
                                                        • Instruction ID: 0e109c16ff6df5c63177ec38e6efae532b84ddc5cd0488ed7aa44ebc0a828320
                                                        • Opcode Fuzzy Hash: 5939388f8c1f466a48ea9b731bfbfe542e01c99de1426122d4f1e9336c2c88c1
                                                        • Instruction Fuzzy Hash: FEA0023315864CEB42501687990DA32779DE1D5A62B6500E1D514025515976A811C5E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703727A0 Relevance: .0, Instructions: 5COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7006bd44f8c936730955511141e1d577f1c8e3a85cbe44a254d1156e96e84e31
                                                        • Instruction ID: f02c9021c0607f83504b7a912f17c6d7a3d030f4bb6f50edf3caa528d8ad2c61
                                                        • Opcode Fuzzy Hash: 7006bd44f8c936730955511141e1d577f1c8e3a85cbe44a254d1156e96e84e31
                                                        • Instruction Fuzzy Hash: 3BA0027314868CDF825026875C09A32779DD5D16A2B6581E1D514825525972A811C5F6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036B4F4 Relevance: 47.5, APIs: 16, Strings: 11, Instructions: 286synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 7036B512
                                                          • Part of subcall function 7036B37F: ResetEvent.KERNEL32(?,00000000,00000000,00000001,00000000,?,7036B525), ref: 7036B390
                                                          • Part of subcall function 7036B37F: GetLastError.KERNEL32(00000000,00000000,?,7036B525), ref: 7036B39E
                                                          • Part of subcall function 7036B37F: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000009B1,onecore\base\ntsetup\panther\engine\seq.c,pStartWorkerThreads,7036B525,00000000,?,7036B525), ref: 7036B3D4
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036B52D
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 7036B568
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 7036B684
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000A5F,onecore\base\ntsetup\panther\engine\seq.c,SeqExecute,?,00000000), ref: 7036B873
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$AllocConstructCurrentEventObjectPartialProcessResetSingleThreadWaitmemset
                                                        • String ID: Could not wait on event queue handle (SEQ7)$Couldn't Publish EVENT_SERIALIZE_BEFORE_EXIT$Failed to backup PERMANENT event!!$SEQ Control$SeqExecute$SeqExecute -- stopping, since WdsExitImmediate() was called$SeqExecute -- stopping, since termination group reached$SeqExecute -- stopping, since termination group# < current group#$Successfully backed up PERMANENT event$Unable to startup async event processing threads$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 3692523425-1909290175
                                                        • Opcode ID: b1e59adc73674232b6eb996be4e4de35bc9480af15a4bbf6426369d79767084d
                                                        • Instruction ID: bea78073775af0e98da7ba9e5a2348daa6fb0ffcc3b1e67ad5c53abd1231ae24
                                                        • Opcode Fuzzy Hash: b1e59adc73674232b6eb996be4e4de35bc9480af15a4bbf6426369d79767084d
                                                        • Instruction Fuzzy Hash: A991D171700701BFD7108F62CC45EAE7BADEF85350F20412AF9469E299DB70A846DFA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F55A Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 272memorystringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,7037FA1E,?), ref: 7037F570
                                                        • HeapAlloc.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F577
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000011,?,7037FA1E,?), ref: 7037F583
                                                        • HeapReAlloc.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F58A
                                                        • strrchr.MSVCRT ref: 7037F5B0
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 7037F5DD
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F5E4
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F61E
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F625
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F665
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F66C
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F6A8
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F6AF
                                                        • strrchr.MSVCRT ref: 7037F6DA
                                                        • GetProcessHeap.KERNEL32(00000000,?,?), ref: 7037F706
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F70D
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F748
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F74F
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F78A
                                                        • HeapReAlloc.KERNEL32(00000000), ref: 7037F791
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess$strrchr
                                                        • String ID: || LogMessage: $ || SourceFunction: $ || SourceName: $C:\$Windows.~WS\Sources\SetupHost.Exe$ExecutableName:
                                                        • API String ID: 337399512-1888139173
                                                        • Opcode ID: ec6a138ec018d62a3c7331d80e0e53dc7b19f703509918df02c92af395983ca6
                                                        • Instruction ID: cc4ba346325dd97604796d0741487902aff07d4533623adc1885064e3361eecf
                                                        • Opcode Fuzzy Hash: ec6a138ec018d62a3c7331d80e0e53dc7b19f703509918df02c92af395983ca6
                                                        • Instruction Fuzzy Hash: 88811D77504641AFDB068F64CC98BAEBBBAFF46304B218299EC43DB341C6765D06DB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036C10F Relevance: 38.8, APIs: 11, Strings: 11, Instructions: 255windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036C161
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetLastError.KERNEL32(?,?), ref: 7036C25E
                                                          • Part of subcall function 70369321: GetProcessHeap.KERNEL32(00000008,00000018,00000098,?,7036AE34), ref: 7036932D
                                                          • Part of subcall function 70369321: HeapAlloc.KERNEL32(00000000), ref: 70369334
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036C2BD
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?), ref: 7036C349
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,?), ref: 7036C3D8
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000DCE,onecore\base\ntsetup\panther\engine\seq.c,SeqSubscribeEx,?,00000000), ref: 7036C411
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 7036BCA0: WdsSeqFree.WDSCORE(?,?,?,7036C421,?,00000000,00090000,70361E24,00000000,00000DCE,onecore\base\ntsetup\panther\engine\seq.c,SeqSubscribeEx,?,00000000), ref: 7036BCBA
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,?,?), ref: 7036C45F
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036C19B
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqSubscribeEx,?,00000000), ref: 7036C1DA
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036C202
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000DD8,onecore\base\ntsetup\panther\engine\seq.c,SeqSubscribeEx,?,00000000), ref: 7036C498
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocProcessmemset$ConstructCriticalEnterFreePartialSection
                                                        • String ID: %d %d$Could add subscription list item to hash table (SEQ12)$Could not allocate major event (SEQ9)$Could not allocate subscription list (SEQ11)$Could not allocate subscription list item (SEQ10)$Invalid Major/Minor Event pair given to WdsSubscribe by %s$Invalid callback 0x%X given to WdsSubscribe by %s. Did you put this callback in the initial callback table?$Module %s can't subscribe. Did you call WdsInitializeCallbackArray in your ModuleInit()?$SeqSubscribeEx$WdsSubscribeEx$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 1601202000-1065071412
                                                        • Opcode ID: 953573d39a781b1d4d1835f1a9bf93890036de379ccc432ffeb91d0c407532db
                                                        • Instruction ID: a5c2ab0687a649a5e46c7f84b54961ae0be6a5d4c48e5d09107e110542cf90d0
                                                        • Opcode Fuzzy Hash: 953573d39a781b1d4d1835f1a9bf93890036de379ccc432ffeb91d0c407532db
                                                        • Instruction Fuzzy Hash: FD916471B00318BFEB11CF61CD91FBE737DAB45240F10419AF949AE248DB71AD459B22
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F945 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 198memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036F96D
                                                        • memset.MSVCRT ref: 7036F97B
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000002D8,onecore\base\ntsetup\panther\engine\engine.cpp,pCreateCleanTempDir,?,00000000,00000000,00000000), ref: 7036F9C7
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32 ref: 7036F98C
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 7036F9DE
                                                        • GetLastError.KERNEL32 ref: 7036F9F5
                                                        • memset.MSVCRT ref: 7036FA11
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 7036FA26
                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 7036FA4C
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7036FA53
                                                        • GetLastError.KERNEL32 ref: 7036FAA3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLastmemset$AllocFileModuleNameProcess$ConstructMessagePartialSetup
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$Directory %s is not useable by panther$GetModuleFileName failed in engine::pCleanOutTempDir$No working dir has been given to panther. The temp dir for modules will be unavailable. Call WdsInitialize(ReInit=TRUE) to specify a working directory$StringCchCopy fails for %s$onecore\base\ntsetup\panther\engine\engine.cpp$pCreateCleanTempDir
                                                        • API String ID: 3997078125-2408999666
                                                        • Opcode ID: c9e3d8c96b93d0e543c0853d1930033394f2c3f2eb6a3f275b2bc97237a4ce1c
                                                        • Instruction ID: d8436b38ba830d20f0fa91a844176eceba1f26be509a54707db0653a62ff0b0e
                                                        • Opcode Fuzzy Hash: c9e3d8c96b93d0e543c0853d1930033394f2c3f2eb6a3f275b2bc97237a4ce1c
                                                        • Instruction Fuzzy Hash: C651E5B2900219BFD7119BA5CC85FEF37BCAF45750F10019AF909AB189EB74AE458B70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037DD10 Relevance: 33.6, APIs: 5, Strings: 14, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037DD60
                                                          • Part of subcall function 70384E42: GetVersion.KERNEL32(?), ref: 70384E85
                                                          • Part of subcall function 70384E42: GetModuleHandleW.KERNEL32(kernel32,?), ref: 70384EF9
                                                          • Part of subcall function 70384E42: GetProcAddress.KERNEL32(00000000,AddVectoredExceptionHandler), ref: 70384F09
                                                          • Part of subcall function 70384E42: memset.MSVCRT ref: 70384FBD
                                                          • Part of subcall function 70384E42: ExpandEnvironmentStringsW.KERNEL32(%windir%\system32\dbghelp.dll,?,00000104,?,?,?), ref: 70384FD6
                                                          • Part of subcall function 70384E42: LoadLibraryExW.KERNELBASE(?,00000000,00000000,?,?,?), ref: 70384FE9
                                                          • Part of subcall function 70384E42: FreeLibrary.KERNEL32(00000000,?,?,?), ref: 70384FFE
                                                        • GetLastError.KERNEL32 ref: 7037DDCA
                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 7037E15B
                                                        • WdsLogRegStockProviders.WDSCORE ref: 7037E1C1
                                                        • WdsLogCreate.WDSCORE(|Y6p,70365DC0,00000011), ref: 7037E1D3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Librarymemset$AddressCreateCurrentEnvironmentErrorExpandFreeHandleLastLoadModuleProcProcessProvidersStockStringsVersion
                                                        • String ID: C:\$Windows.~WS\Sources\SetupHost.Exe$C:\$Windows.~WS\Sources\SetupHost.Exe$Con$Err$Fil$Fun$Global\SetupLog$Global\WdsSetupLogInit$Msg$SetupLog$Sev$Uid$WdsSetupLogInit$|Y6p
                                                        • API String ID: 3681431477-4038022405
                                                        • Opcode ID: 12242a35c128a1b4f1fceaddec18e38d79452bc5bb5cc422d6123949ec0d8e9c
                                                        • Instruction ID: f251078c48acb4ed50eddef27f338643d79111856daafcc8206c1e8a341fb493
                                                        • Opcode Fuzzy Hash: 12242a35c128a1b4f1fceaddec18e38d79452bc5bb5cc422d6123949ec0d8e9c
                                                        • Instruction Fuzzy Hash: 33D13FB5901228DFDB60DF55CC88B9EBBB8BF49310F5041EAE949A7264D7745E80CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70385C70 Relevance: 28.4, APIs: 3, Strings: 13, Instructions: 385memorytimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantTimeToSystemTime.OLEAUT32 ref: 70385D3E
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 7038615C
                                                        • HeapFree.KERNEL32(00000000), ref: 70386163
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: HeapTime$FreeProcessSystemVariant
                                                        • String ID: %-10S [0x%06x] %-6S %S$%-10S [0x%06x] %-6S %s$%-20S %-10S [0x%06x] %-6S %S$%-20S %-10S [0x%06x] %-6S %s$%-20S %-21S %-6S %S$%-20S %-21S %-6S %s$%-20S %-21S [0x%06x] %S$%-20S %-21S [0x%06x] %s$%-21S %-6S %S$%-21S %-6S %s$%d-%02d-%02d %02d:%02d:%02d,$NoSeverity$[gle=0x%.8x]
                                                        • API String ID: 2986476726-3621657540
                                                        • Opcode ID: 9df2909655b9851160cb1dce078479b7b639df49b621ee3dd4dbb30f13616cd4
                                                        • Instruction ID: dee18b8a9327934069d47a42fa257dc446ac1fe22a92d936bb3fe21f9c5f24b3
                                                        • Opcode Fuzzy Hash: 9df2909655b9851160cb1dce078479b7b639df49b621ee3dd4dbb30f13616cd4
                                                        • Instruction Fuzzy Hash: 3BE19575A00129EFCF258F54CD98BADB7BAAF48300F1142DDE90AA7295D7359E81CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70370331 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 215COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: memset
                                                        • String ID: %s%s$Failed to add to WorkQueue->OfflineQueuesTable$Failed to alloc WorkQueue->OfflineQueuesTable$Failed to create online queue name$Failed to initialize SEQ$Online$The names of all offline queues and offline groups must be unique. '%s' is already used$onecore\base\ntsetup\panther\engine\engine.cpp$pInitializeWorkQueue
                                                        • API String ID: 2221118986-523032083
                                                        • Opcode ID: 96f0d53ed4fde82c102b64e0cbc82c8c9aa6556d443ac95d6f6627a328077160
                                                        • Instruction ID: 683101510cb576074c901269a2c16a4d94c39a6037fb20af2b5670c889fad644
                                                        • Opcode Fuzzy Hash: 96f0d53ed4fde82c102b64e0cbc82c8c9aa6556d443ac95d6f6627a328077160
                                                        • Instruction Fuzzy Hash: EE717072A00205EFE710DB56DC95F5E77BDEB48364F2081AAE809DB294EB74AD41CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036AAF9 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 183windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetCurrentThreadId.KERNEL32 ref: 7036AB30
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036AB43
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036AB79
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036ABCA
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036AC12
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 7036ACAD
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 7036ACDD
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000006F1,onecore\base\ntsetup\panther\engine\seq.c,SeqSetNextExecutionGroup,?,00000000), ref: 7036AD13
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$CriticalCurrentEnterSectionThread
                                                        • String ID: Attempt to use SeqSetNextExecutionGroup from another thread$Failed to backup PERMANENT event during SetNextExecutionGroup!!$Group: %s not found! (SEQ5)$SeqSetNextExecutionGroup$Successfully backed up PERMANENT event during SetNextExecutionGroup$WdsSetNextExecutionGroup$WdsSetNextExecutionGroup failed - the queue is currently locked$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 1326370729-2211441728
                                                        • Opcode ID: 8ce5180f7556248cb754d5f8365a436eef5e2e5da2520ce1beb4ad7552913dc5
                                                        • Instruction ID: d129fb0f9d34cef330109a356547bc19d7f572025fbc2fe2475ff57693077e82
                                                        • Opcode Fuzzy Hash: 8ce5180f7556248cb754d5f8365a436eef5e2e5da2520ce1beb4ad7552913dc5
                                                        • Instruction Fuzzy Hash: C0519171F00604BFDB148FA5CC91FAEB6B9EB48200F21411AF956AF298DB75AC01DF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E4A1 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 174filewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036E4C9
                                                        • CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                        • GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                        • GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E57F
                                                        • GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E5C4
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                          • Part of subcall function 7036E435: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,7038A5C0,00000010,7036E73C), ref: 7036E451
                                                          • Part of subcall function 7036E435: WriteFile.KERNEL32(?,?,00000004,7036F5DE,00000000,?,00000000,00000000,00000000,7038A5C0,00000010,7036E73C), ref: 7036E465
                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,08000080,00000000,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E61E
                                                        • GetLastError.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000002,08000080,00000000,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E635
                                                        • GetLastError.KERNEL32(00000000,00000000,?,C0000000,00000000,00000000,00000002,08000080,00000000,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E686
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$File$Create$ConstructMessagePartialPointerSetupWritememset
                                                        • String ID: OF_Open$The file '%s' couldn't be opened for input$The file '%s' couldn't be opened for output$The header for '%s' couldn't be read$The header for '%s' couldn't be written$The version of '%s' is %d, but the required version is %d$onecore\base\ntsetup\panther\engine\objectfile.c
                                                        • API String ID: 2332610483-1216819758
                                                        • Opcode ID: cab27a4fbd90502dc21241bbe172301127ba5875d1dd38397a63a72e3b1bbe97
                                                        • Instruction ID: 756c2d72dc99bba77378b76fb84652fede9a40445dc973f5a17f9cdc0255b300
                                                        • Opcode Fuzzy Hash: cab27a4fbd90502dc21241bbe172301127ba5875d1dd38397a63a72e3b1bbe97
                                                        • Instruction Fuzzy Hash: DD5191B1A40309BFEB108F648D85FEE76BCEB58718F204219F955BA284D775AC149B20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036C976 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 204windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A460,00000038,703716E4,?,?,?), ref: 7036C9B4
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036C9F9
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 7036CA17
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000FAA,onecore\base\ntsetup\panther\engine\seq.c,SeqUnsubscribeEx,?,00000000), ref: 7036CA51
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 7036CA7A
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 7036CB64
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,?,00090000,70361E24,00000000,00000FD7,onecore\base\ntsetup\panther\engine\seq.c,SeqUnsubscribeEx,?,00000000), ref: 7036CBBC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructCriticalEnterPartialProcessSectionmemset
                                                        • String ID: <Null>$Invalid Major/Minor Event pair given to WdsUnsubscribeEx by %s$SeqUnsubscribeEx$WdsUnsubscribeEx$WdsUnsubscribeEx could not allocate major event$WdsUnsubscribeEx(%s, %s, %d, %d) called$WdsUnsubscribeEx(%s, %s, %d, %d) removed subscription (%s, %d, Callback:%d)$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2791931779-719738735
                                                        • Opcode ID: a47b346e5fd52d14c39e2b69a6e7a11fd33a5ff298c10f7f7962263455366145
                                                        • Instruction ID: 54f643fb23e29b5f26aaab2d11790c99e0cfe4881ac0568343ad349ab72a8e13
                                                        • Opcode Fuzzy Hash: a47b346e5fd52d14c39e2b69a6e7a11fd33a5ff298c10f7f7962263455366145
                                                        • Instruction Fuzzy Hash: 51619472A00209BFDB11CF95CC41EEEBBB5EF48650F154119F90ABB248D775AC46DBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036AD77 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 178memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000009C,7038A320,00000018,7037040B), ref: 7036AD97
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7036AD9E
                                                        • InitializeCriticalSection.KERNEL32(0000006C), ref: 7036ADCC
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036ADDA
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000745,onecore\base\ntsetup\panther\engine\seq.c,SeqConstruct,00000000,00000000), ref: 7036AE10
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00090000,70361E24,00000000,00000745,onecore\base\ntsetup\panther\engine\seq.c,SeqConstruct,00000000,00000000), ref: 7036AE1C
                                                          • Part of subcall function 70369321: GetProcessHeap.KERNEL32(00000008,00000018,00000098,?,7036AE34), ref: 7036932D
                                                          • Part of subcall function 70369321: HeapAlloc.KERNEL32(00000000), ref: 70369334
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 7036AEAD
                                                        • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 7036AEC1
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036AF53
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000797,onecore\base\ntsetup\panther\engine\seq.c,SeqConstruct,?,00000000), ref: 7036AF8A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocCreateErrorEventLastProcess$MessageSetup$ConstructCriticalInitializePartialSectionmemset
                                                        • String ID: InitializedCriticalSection for pExecQueue->csLock;$SEQ Control$SeqConstruct$There was a problem creating a PEXEC_QUEUE_LIST_ITEM member$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 633196269-1579434480
                                                        • Opcode ID: fdbc8a4b767d1200ddd5a1d4ac934dddf32290266775eb86e0ee23a8d492b79e
                                                        • Instruction ID: b79238fb7375aba1541e2d9c1124664cd343ca41223080f7deee0a54b1021677
                                                        • Opcode Fuzzy Hash: fdbc8a4b767d1200ddd5a1d4ac934dddf32290266775eb86e0ee23a8d492b79e
                                                        • Instruction Fuzzy Hash: 6E5180B5A04B01AFDB248F618D41BAE77B9FF04301F20496EF957AE285DB71AC018F65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387813 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 176memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcsicmp.MSVCRT ref: 70387843
                                                        • _wcsicmp.MSVCRT ref: 7038785B
                                                        • _wcsicmp.MSVCRT ref: 7038788A
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 703878BA
                                                        • HeapAlloc.KERNEL32(00000000), ref: 703878C1
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 703878CC
                                                        • HeapAlloc.KERNEL32(00000000), ref: 703878D3
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 703878DE
                                                        • HeapAlloc.KERNEL32(00000000), ref: 703878E5
                                                          • Part of subcall function 703874C8: __EH_prolog3.LIBCMT ref: 703874CF
                                                        • wcstok_s.MSVCRT ref: 7038792E
                                                        • swscanf_s.MSVCRT ref: 70387968
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess_wcsicmp$H_prolog3swscanf_swcstok_s
                                                        • String ID: %s %s "%[^"]"$LOG$SUPPRESS$default
                                                        • API String ID: 3361256332-364000695
                                                        • Opcode ID: 49de2af98681eda870f334f8c994f1d9bdb0c9056a4940fd9d70ac6e797bea5d
                                                        • Instruction ID: 43b5b1c8b91037e4521a3dc540f129f8a40277cd0afd8b45ff6618b78a22547d
                                                        • Opcode Fuzzy Hash: 49de2af98681eda870f334f8c994f1d9bdb0c9056a4940fd9d70ac6e797bea5d
                                                        • Instruction Fuzzy Hash: 98516D76D00219DFCB11CFA9DC45ADEBBBAFF48311B24419AE806E7290D7709881CB74
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036CF25 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 174windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A4A0,00000020,7036B7F3,SEQ Control,00000002,00000000,00000000), ref: 7036CFCD
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001121,onecore\base\ntsetup\panther\engine\seq.c,SeqPublishImmediateEx,00000000,00000000), ref: 7036D012
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup
                                                        • String ID: Could not allocate event list item (SEQ16)$Could not duplicate data (SEQ17)$SeqPublishImmediate() -- MajorEvent and MinorEvent cannot be 0$SeqPublishImmediateEx$WdsPublishImmediateEx() -- Invalid event data submitted by '%s': %s$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2111701876-1626700938
                                                        • Opcode ID: faaa9fab507def5eb98af445f41b483599c847e710e95be6b7028f2dbaadaa6b
                                                        • Instruction ID: dd7dee97e019073a35455ada794e7f94814607ddccd25270c005ff0a92ff817c
                                                        • Opcode Fuzzy Hash: faaa9fab507def5eb98af445f41b483599c847e710e95be6b7028f2dbaadaa6b
                                                        • Instruction Fuzzy Hash: D0516171A00204BFDF01CFA5CC56FEE7BB9EB88610F204519F905BE288DB75A852DB25
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036CC23 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 219windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A480,00000020,703717AC,?,?,?,?,?,00000000), ref: 7036CC7F
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A480,00000020,703717AC,?,?,?,?,?,00000000), ref: 7036CD1A
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036CD60
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,7038A480,00000020,703717AC,?,?,?,?,?,00000000), ref: 7036CE31
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001037,onecore\base\ntsetup\panther\engine\seq.c,SeqPublish,?,00000000), ref: 7036CEB3
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • SetLastError.KERNEL32(00000057,00000000,00090000,70361E24,00000000,00001037,onecore\base\ntsetup\panther\engine\seq.c,SeqPublish,?,00000000), ref: 7036CEBA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructCriticalEnterPartialProcessSectionmemset
                                                        • String ID: SeqPublish$WdsPublish$WdsPublish() -- Invalid event data submitted by '%s': %s$WdsPublish() -- MajorEvent and MinorEvent cannot be 0$WdsPublish() -- The PriorityGroupStr must be null if an actual queue position is given from an iterator$WdsPublish() by module %s - invalid group name %s$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2791931779-78453608
                                                        • Opcode ID: 7f8f59d719ae74096b3b54f8f95415f0ade7f08cc118e4d13b928c977cfd2c3e
                                                        • Instruction ID: f8c9898e6b8f490399bead0e4b174755a1e0481a0732342aa872368d26c2c3ab
                                                        • Opcode Fuzzy Hash: 7f8f59d719ae74096b3b54f8f95415f0ade7f08cc118e4d13b928c977cfd2c3e
                                                        • Instruction Fuzzy Hash: F9717471B10208AFDB00DFA5CD81AEE77B9FF49254F208129F816AB288D775AC01DB64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037FB50 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 185memorystringthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 7037FBA0
                                                        • memset.MSVCRT ref: 7037FBC4
                                                        • strrchr.MSVCRT ref: 7037FC26
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 7037FCAF
                                                        • HeapFree.KERNEL32(00000000,?,?), ref: 7037FCB6
                                                        • GetCurrentThreadId.KERNEL32 ref: 7037FCD3
                                                        • GetMinorTaskA.WDSCORE ref: 7037FCEF
                                                        • GetMajorTaskA.WDSCORE ref: 7037FCF8
                                                        • WdsSetupLogDestroy.WDSCORE ref: 7037FD5D
                                                        • ExitProcess.KERNEL32 ref: 7037FD63
                                                          • Part of subcall function 7037D3BE: VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,?,7037F96D), ref: 7037D3DF
                                                        • RaiseException.KERNEL32(C0000025,00000001,00000000,00000000), ref: 7037FD78
                                                        • SetLastError.KERNEL32(?), ref: 7037FD82
                                                        Strings
                                                        • C:\$Windows.~WS\Sources\SetupHost.Exe, xrefs: 7037FD14
                                                        • <unknown>, xrefs: 7037FBA6
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLastProcessTask$CurrentDestroyExceptionExitFreeMajorMinorQueryRaiseSetupThreadVirtualmemsetstrrchr
                                                        • String ID: <unknown>$C:\$Windows.~WS\Sources\SetupHost.Exe
                                                        • API String ID: 3918770063-4162240039
                                                        • Opcode ID: 9a978b79c9b13e6c4670c19c3a775860420140a86a4824acade6c53c463f8713
                                                        • Instruction ID: 60ed491dbf2b1ea21448638f1b10ad9e731460929cdfd80da666f05ea3488f78
                                                        • Opcode Fuzzy Hash: 9a978b79c9b13e6c4670c19c3a775860420140a86a4824acade6c53c463f8713
                                                        • Instruction Fuzzy Hash: 2D6147B26043459FCB01DF69C884A5EBBF9FB88310F10895DF98AD72A0D735E801DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70369AC8 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 165librarywindowloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A1A0,00000034,70369E9A,?,7038A200,00000014,70369FDC,000000FF,00000000,?,00000000,7038A220,00000018,7036D76E), ref: 70369AF2
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000207,onecore\base\ntsetup\panther\engine\seq.c,InitializeModule,?,00000000,?,00000000,?,?,00000000,00090000,70361E24), ref: 70369B28
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                          • Part of subcall function 70369810: GetLastError.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 703698F5
                                                          • Part of subcall function 70369810: WdsSetupLogMessageW.WDSCORE(00000000,00000000,?,00000014,00000000,SeqExecute,?), ref: 703699CD
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00090000,70361E24,00000000,00000207,onecore\base\ntsetup\panther\engine\seq.c,InitializeModule,?,00000000,?,00000000), ref: 70369B6C
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,?,00000014,00000000,SeqExecute,?), ref: 70369BA7
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,00000000,00090000,70361E24,00000000,00000207,onecore\base\ntsetup\panther\engine\seq.c,InitializeModule,?,00000000,?,00000000), ref: 70369BBB
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00090000,70361E24,00000000,000012A5,onecore\base\ntsetup\panther\engine\seq.c,SeqSerializeToFile,70361E24,00000000), ref: 70369BD3
                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 70369C23
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00090000,70361E24,00000000,000012A5,onecore\base\ntsetup\panther\engine\seq.c,SeqSerializeToFile,70361E24,00000000), ref: 70369C3B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AddressAllocConstructCriticalEnterLibraryLoadPartialProcProcessSectionmemset
                                                        • String ID: Failed to resolve binary for module '%s'$InitializeModule$InitializeModule - Failed to find entry point %s$InitializeModule - Failed to load %s$InitializeModule: Initializing ExecQueue->csLock;$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 1030237580-3882289104
                                                        • Opcode ID: 5d178bd50d2c8037b656e1855f61188e324931eb7053e0e8f0b877e2d16fe019
                                                        • Instruction ID: db48b735f87475d3ec0c92163d1651767b092e6643ca976d6589fc19f6d562bd
                                                        • Opcode Fuzzy Hash: 5d178bd50d2c8037b656e1855f61188e324931eb7053e0e8f0b877e2d16fe019
                                                        • Instruction Fuzzy Hash: B8513CB1A00604BFDB11CFA5CC85EEEBBFDEF88600F10455AF946AB254DB31A905DB64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036FD3D Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 149windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036FD5B
                                                        • GetLastError.KERNEL32(SeqExecute,?,00000000), ref: 7036FDB1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000403,onecore\base\ntsetup\panther\engine\engine.cpp,EngineCompleteSaveOperation,?,00000000,00000000,00000000), ref: 7036FDEC
                                                          • Part of subcall function 7036E4A1: memset.MSVCRT ref: 7036E4C9
                                                          • Part of subcall function 7036E4A1: CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                          • Part of subcall function 7036E4A1: GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                          • Part of subcall function 7036E4A1: WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                        • GetLastError.KERNEL32(00000001,?,SeqExecute,?,00000000), ref: 7036FE0E
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                          • Part of subcall function 7036AFC8: DeleteCriticalSection.KERNEL32(?,7038A340,00000018,703706AA,00000000,70370B5E), ref: 7036AFE7
                                                          • Part of subcall function 7036AFC8: GetLastError.KERNEL32(00000000,00000000), ref: 7036AFF5
                                                          • Part of subcall function 7036AFC8: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B02B
                                                          • Part of subcall function 7036AFC8: CloseHandle.KERNEL32(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B038
                                                          • Part of subcall function 7036AFC8: GetLastError.KERNEL32(00000000,00000000,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B09A
                                                          • Part of subcall function 7036AFC8: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000007EA,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B0D0
                                                          • Part of subcall function 7036AFC8: CloseHandle.KERNEL32(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B10C
                                                        • GetLastError.KERNEL32(00000000,00000001,?,SeqExecute,?,00000000), ref: 7036FE64
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000409,onecore\base\ntsetup\panther\engine\engine.cpp,EngineCompleteSaveOperation,?,00000000,00000000,00000000), ref: 7036FEAA
                                                        • GetLastError.KERNEL32(SeqExecute,?,00000000), ref: 7036FEF4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$CloseHandlememset$ConstructCreateCriticalDeleteFilePartialSection
                                                        • String ID: EngineCompleteSaveOperation$EngineCompleteSaveOperation couldn't create %s$EngineCompleteSaveOperation couldn't obtain new file version!$EngineCompleteSaveOperation couldn't save %s$EngineCompleteSaveOperation couldn't save contents file$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 785963527-3458872992
                                                        • Opcode ID: 99453fcdafe506f25e4afaf68b643f335315036a4bd47a41a1591595168edfbc
                                                        • Instruction ID: d7da32ec8a6d29383383341d9072e3013ab4028b017fdee244d5cd6a2c48629f
                                                        • Opcode Fuzzy Hash: 99453fcdafe506f25e4afaf68b643f335315036a4bd47a41a1591595168edfbc
                                                        • Instruction Fuzzy Hash: 3151CFB2A00215BFD710DB55CC8AE9E37BCEB44364F2041A9F9096F299DB75AD42CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036AFC8 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 131windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteCriticalSection.KERNEL32(?,7038A340,00000018,703706AA,00000000,70370B5E), ref: 7036AFE7
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036AFF5
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B02B
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • CloseHandle.KERNEL32(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B038
                                                          • Part of subcall function 703693CC: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,7036B132,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 70369417
                                                          • Part of subcall function 703693CC: HeapFree.KERNEL32(00000000,?,?,?,7036B132,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036941E
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B09A
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000007EA,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B0D0
                                                        • CloseHandle.KERNEL32(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B10C
                                                        • CloseHandle.KERNEL32(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B11D
                                                        • WdsSeqFree.WDSCORE(?,00000000,00090000,70361E24,00000000,000007C7,onecore\base\ntsetup\panther\engine\seq.c,SeqDestruct,?,00000000), ref: 7036B14A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$CloseErrorHandleLast$FreeMessageProcessSetup$AllocConstructCriticalDeletePartialSectionmemset
                                                        • String ID: DeleteCriticalSection for pExecQueue->csLock;$Destroying any unreferenced modules! (SEQ6)$SeqDestruct$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 3251754948-253219117
                                                        • Opcode ID: 6abe92026f121555e82207b9df98faf596f2506b3024924277ef073ea9c26760
                                                        • Instruction ID: 79c127ee9127f4c4d894b36c2d19644f15a4afcd57c869f7db4074714a23ffaf
                                                        • Opcode Fuzzy Hash: 6abe92026f121555e82207b9df98faf596f2506b3024924277ef073ea9c26760
                                                        • Instruction Fuzzy Hash: 7C41BD76700705AFDB149BA1C992FAFB7B8AF04600F10495DF853AB699CB31BC428F21
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036B1E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForMultipleObjectsEx.KERNEL32(00000002,?,00000000,000000FF,00000000), ref: 7036B219
                                                        • SetEvent.KERNEL32(?), ref: 7036B26B
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 7036B28D
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 7036B2C2
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036B2D4
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036B311
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000098C,onecore\base\ntsetup\panther\engine\seq.c,pWorkerThreadFunc,?,00000000), ref: 7036B347
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000997,onecore\base\ntsetup\panther\engine\seq.c,pWorkerThreadFunc,?,00000000), ref: 7036B30A
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • LeaveCriticalSection.KERNEL32(?,00000000,00090000,70361E24,00000000,0000098C,onecore\base\ntsetup\panther\engine\seq.c,pWorkerThreadFunc,?,00000000), ref: 7036B368
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$ErrorLastLeaveMessageSetup$EnterEventMultipleObjectsWait
                                                        • String ID: onecore\base\ntsetup\panther\engine\seq.c$pWorkerThreadFunc$pWorkerThreadFunc -- Stopping$pWorkerThreadFunc -- WaitForMultipleObjects failed
                                                        • API String ID: 3949982581-3723899833
                                                        • Opcode ID: ebef566ff85d6d50bbff0997af09e32089562b20495bdc65959e641048c4a6eb
                                                        • Instruction ID: 05eb1c6b7938a56e1f87ab68d2aa56c749a9ec2ab66a1cc714d00985238fd315
                                                        • Opcode Fuzzy Hash: ebef566ff85d6d50bbff0997af09e32089562b20495bdc65959e641048c4a6eb
                                                        • Instruction Fuzzy Hash: D3419F72204701AFD7009F65CC95FAFB7ADFF84200F20891EF996DA299DF70A8458B61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036DD58 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 125windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7036FBEF: EnterCriticalSection.KERNEL32(7038DF40,7038A780,00000010,7036DD91), ref: 7036FC0C
                                                          • Part of subcall function 7036FBEF: GetLastError.KERNEL32 ref: 7036FC1B
                                                          • Part of subcall function 7036FBEF: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000003A8,onecore\base\ntsetup\panther\engine\engine.cpp,EngineBeginSaveOperation,00000000,00000000,00000000,00000000), ref: 7036FC56
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036DDE0
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036DDA0
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036DE07
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036DE4E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructCriticalEnterPartialProcessSectionmemset
                                                        • String ID: Could not close file for '%s'$Could not save queue '%s' to '%s'$Could not save save engine state for executing queue '%s'$Could not start save operation for '%s'$onecore\base\ntsetup\panther\engine\seq.c$pHandleSerialize
                                                        • API String ID: 2791931779-3122996627
                                                        • Opcode ID: f71682d1e9d47427445bfa05ffa7f74f0cdd51759137254f5f3d2b2bb4d15b76
                                                        • Instruction ID: 7d68c550a017f1cffb543fbbcfb620fe2bfb49487e8fc2b63a44675650860ab2
                                                        • Opcode Fuzzy Hash: f71682d1e9d47427445bfa05ffa7f74f0cdd51759137254f5f3d2b2bb4d15b76
                                                        • Instruction Fuzzy Hash: 43418EB1A01215BEDB10AB618C49FDEBBB8EF04240F104285F909AE289D779AA55DB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A0F7 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 120memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A209
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036A16F
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A240,00000020,7036D02C,00000000,?,7038A4A0,00000020,7036B7F3,SEQ Control,00000002,00000000,00000000), ref: 7036A134
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetProcessHeap.KERNEL32(00000008,00000048,7038A240,00000020,7036D02C,00000000,?,7038A4A0,00000020,7036B7F3,SEQ Control,00000002,00000000,00000000), ref: 7036A17F
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7036A186
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A19D
                                                        • WdsDuplicateData.WDSCORE(00000020,00000000), ref: 7036A1EC
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000003E4,onecore\base\ntsetup\panther\engine\seq.c,pConstructEvent,?,00000000), ref: 7036A23C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocMessageProcessSetup$ConstructDataDuplicatePartialmemset
                                                        • String ID: Could not allocate event list item$Could not associate Module name, Major or Minor event with new event$onecore\base\ntsetup\panther\engine\seq.c$pConstructEvent$pConstructEvent() -- invalid WDS_DATA specified: %s
                                                        • API String ID: 2151438953-222506115
                                                        • Opcode ID: d60c346253e64c1a2db570327964e1cbf65fc576929e20b20270237d8fb27f8d
                                                        • Instruction ID: acb190cb8ee5303f207cf3d9e6810b72d038f63ea9f96653349503c1b501c765
                                                        • Opcode Fuzzy Hash: d60c346253e64c1a2db570327964e1cbf65fc576929e20b20270237d8fb27f8d
                                                        • Instruction Fuzzy Hash: 10417CB1E40618BFEB108F95CC41FEEBBB8AF09650F10420AFD15BA284D775A9019B64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036FF7D Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(7038DF40,7038A7C0,00000014,703708EC,00000208), ref: 7036FF9D
                                                        • GetLastError.KERNEL32 ref: 70370041
                                                        • GetLastError.KERNEL32(-00000018), ref: 7037008D
                                                        • GetLastError.KERNEL32 ref: 7036FFAD
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000460,onecore\base\ntsetup\panther\engine\engine.cpp,pLookupContentsFileEntry,?,00000000,00000000,00000000), ref: 7036FFEA
                                                        • GetLastError.KERNEL32 ref: 70370000
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$ConstructCriticalEnterMessagePartialSectionSetup
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$Couldn't construct contents file!$Couldn't copy pFV->FileName in pLookupContentsFileEntry$Couldn't find queue '%s' in contents file$No working dir has been given to panther. Call WdsInitialize(Reinit=TRUE) to specify one (2nd msg)$onecore\base\ntsetup\panther\engine\engine.cpp$pLookupContentsFileEntry
                                                        • API String ID: 3282997662-4251285282
                                                        • Opcode ID: dd59ec737eeda1c0581ee47bd5770bbf0a0a788f8bc4fd601450be83bf81eaa8
                                                        • Instruction ID: f0d79a9410febe90137a4f634a7b3c69318146a62a6623787a470491002aad5c
                                                        • Opcode Fuzzy Hash: dd59ec737eeda1c0581ee47bd5770bbf0a0a788f8bc4fd601450be83bf81eaa8
                                                        • Instruction Fuzzy Hash: F231B4B2A04205BFE7149BA2DC0BF9F76ACDB55320F20835DF945EF188EBA46C019665
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036B888 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000AF8,onecore\base\ntsetup\panther\engine\seq.c,SeqEnableExit,?,00000000,?,?,?,00000000,?,70371A23), ref: 7036B8F0
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,00000000,?,70371A23), ref: 7036B8BA
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,00000000,?,70371A23), ref: 7036B924
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036B95F
                                                        • SetEvent.KERNEL32(?,00000000), ref: 7036B967
                                                        • LeaveCriticalSection.KERNEL32(0000006C,?,?,?,00000000,?,70371A23), ref: 7036B971
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$CriticalHeapSection$AllocConstructEnterEventLeavePartialProcessmemset
                                                        • String ID: SeqEnableExit$WdsEnableExit$WdsEnableExit already called$WdsEnableExit called! When group #%d is empty, execution will stop, and the queue %s be saved.$onecore\base\ntsetup\panther\engine\seq.c$will$won't
                                                        • API String ID: 2877112664-2618644816
                                                        • Opcode ID: aa5a757c81068f82c65b13a1b90de93da622eed8128d633690954dee3546a0bf
                                                        • Instruction ID: 85ebb4fc47a4de8f41cfb92b5a5e3fdc3a4b7d473f91543b7a5aa4b027007476
                                                        • Opcode Fuzzy Hash: aa5a757c81068f82c65b13a1b90de93da622eed8128d633690954dee3546a0bf
                                                        • Instruction Fuzzy Hash: 1E21F572600704BFD7208BA6CC45E7F72EDEF84204B214529F9869A295DFB1EC018B25
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036B984 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 73windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000B27,onecore\base\ntsetup\panther\engine\seq.c,SeqExitImmediately,?,00000000,?,?,?,00000000,?,70371AC3), ref: 7036B9EC
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,00000000,?,70371AC3), ref: 7036B9B6
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036BA0D
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036BA45
                                                        • SetEvent.KERNEL32(?,00000000), ref: 7036BA4D
                                                        • LeaveCriticalSection.KERNEL32(0000006C), ref: 7036BA57
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$CriticalHeapSection$AllocConstructEnterEventLeavePartialProcessmemset
                                                        • String ID: SeqExitImmediately$WdsExitImmediate$WdsExitImmediate already called$WdsExitImmediate called! Execution will stop, and the queue %s be saved.$onecore\base\ntsetup\panther\engine\seq.c$will$won't
                                                        • API String ID: 2877112664-1194733778
                                                        • Opcode ID: 406358d8e84557b05113163f0a19af41d5de475a72ba3d32ee5bdeb812706de6
                                                        • Instruction ID: 02401e0cb3276794c2d62770a5b8fd5c0c09c42cbfab193ce291d4f4a1862c33
                                                        • Opcode Fuzzy Hash: 406358d8e84557b05113163f0a19af41d5de475a72ba3d32ee5bdeb812706de6
                                                        • Instruction Fuzzy Hash: 4B1157B3200704BFD7201BA2CC46FAF72ADDB84218F214619F942AE189CFF5AC029735
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036DA9D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 189windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A560,00000238,7037093A,00000208), ref: 7036DACC
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036DB07
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • memset.MSVCRT ref: 7036DB19
                                                          • Part of subcall function 7036E4A1: memset.MSVCRT ref: 7036E4C9
                                                          • Part of subcall function 7036E4A1: CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                          • Part of subcall function 7036E4A1: GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                          • Part of subcall function 7036E4A1: WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                          • Part of subcall function 7036E84C: ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,00000004,00000001,?,?,?,?,7036E902,00000000,00000000,?,?), ref: 7036E871
                                                          • Part of subcall function 7036ED78: GetProcessHeap.KERNEL32(00000000,7036D6A8,?,?,7038A660,00000020,7036D6A8,?,00000014,00000000,SeqExecute,?), ref: 7036EE6A
                                                          • Part of subcall function 7036ED78: HeapFree.KERNEL32(00000000,?,00000014,00000000,SeqExecute,?), ref: 7036EE71
                                                          • Part of subcall function 7036D7AF: GetLastError.KERNEL32(00000000,00000000,?,7038A540,00000428,7036DBF3,00000000,?,?,00000000,?,?,?), ref: 7036D858
                                                          • Part of subcall function 7036D7AF: WdsSetupLogMessageW.WDSCORE(00000000,?,?,00000000,?,?,?,00000000), ref: 7036D899
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 7036DC02
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,?,?,00000000,?,?,?), ref: 7036DCB9
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,?,00000000,?,?,?,00000000), ref: 7036DCFA
                                                        • SetEvent.KERNEL32(?,00000000,?,00000000,?,00000000,?,?,00000000,?,?,?), ref: 7036DD04
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$memset$FileProcess$AllocConstructCreateEventFreePartialRead
                                                        • String ID: Failed to Merge the Persistent Queue into the Event Queue$SeqSerializeFromFile$SeqSerializeToFile OF_Close failed for %s$SerializeFromFile '%s'$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2879920601-3220475601
                                                        • Opcode ID: edf17f9870aa3f6ddab70a3dcad11fd9c41f45d7d81ef52189a2b7b3bf65dc1b
                                                        • Instruction ID: 44501f849475acc0ef8be2cde46cd0f974eed511039ad2aedaae5e97104db2ec
                                                        • Opcode Fuzzy Hash: edf17f9870aa3f6ddab70a3dcad11fd9c41f45d7d81ef52189a2b7b3bf65dc1b
                                                        • Instruction Fuzzy Hash: DE615F71A00214AFDB10DF65CC85EEE77B9EF88604F1041A9FD09EE259EB35AE45CB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F77B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 125windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036F79F
                                                        • memset.MSVCRT ref: 7036F7B4
                                                          • Part of subcall function 7036E4A1: memset.MSVCRT ref: 7036E4C9
                                                          • Part of subcall function 7036E4A1: CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                          • Part of subcall function 7036E4A1: GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                          • Part of subcall function 7036E4A1: WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                        • GetLastError.KERNEL32(00000001,?,?,?,?,00000000,?,?,?,7038A740,00000438,7036FEF0,SeqExecute,?,00000000), ref: 7036F7FA
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000002A6,onecore\base\ntsetup\panther\engine\engine.cpp,pSaveNewContentsFile,00000000,00000000,00000000,00000000,?,00000000), ref: 7036F83F
                                                        • GetLastError.KERNEL32(00000001,?,?,?,?,00000000,?,?,?,7038A740,00000438,7036FEF0,SeqExecute,?,00000000), ref: 7036F852
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000002A2,onecore\base\ntsetup\panther\engine\engine.cpp,pSaveNewContentsFile,00000000,00000000,00000000,00000000,?,?,00000000), ref: 7036F899
                                                        • GetLastError.KERNEL32(00000000,?,00000004,00000001,?,?,?,?,00000000,?,?,?,7038A740,00000438,7036FEF0,SeqExecute), ref: 7036F8B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetupmemset$ConstructCreateFilePartial
                                                        • String ID: Failed to open contents file for output '%s'$Failed to write out ContentsFile->FileVersions$Saving Contents File %s$onecore\base\ntsetup\panther\engine\engine.cpp$pSaveNewContentsFile
                                                        • API String ID: 3760912581-713548380
                                                        • Opcode ID: 552c0cdc856ac2e550b093b9fd90645c26969d60ba17b2c15449619db9eb3363
                                                        • Instruction ID: 887fc41b655e39c6eebe04f0cce60b8dc600d668b99ac41bac3cea65132a6305
                                                        • Opcode Fuzzy Hash: 552c0cdc856ac2e550b093b9fd90645c26969d60ba17b2c15449619db9eb3363
                                                        • Instruction Fuzzy Hash: 2141B3B2A00214BEE714CBA1CC0AFDF777CDB44220F10429AF909AB188EB70AD458771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F417 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036F435
                                                        • memset.MSVCRT ref: 7036F456
                                                        • GetProcessHeap.KERNEL32(00000008,0000020C,?,?,?,SeqExecute,?,00000000), ref: 7036F468
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,SeqExecute,?,00000000), ref: 7036F46F
                                                          • Part of subcall function 70369321: GetProcessHeap.KERNEL32(00000008,00000018,00000098,?,7036AE34), ref: 7036932D
                                                          • Part of subcall function 70369321: HeapAlloc.KERNEL32(00000000), ref: 70369334
                                                          • Part of subcall function 7036E4A1: memset.MSVCRT ref: 7036E4C9
                                                          • Part of subcall function 7036E4A1: CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                          • Part of subcall function 7036E4A1: GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                          • Part of subcall function 7036E4A1: WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                        • GetLastError.KERNEL32(00000000,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036F4F1
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000210,onecore\base\ntsetup\panther\engine\engine.cpp,pConstructContentsFile,00000000,00000000,00000000,00000000,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036F534
                                                        • GetLastError.KERNEL32(00000000,?,00000004,00000000,?,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?,00000000), ref: 7036F557
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$ErrorLastmemset$AllocMessageProcessSetup$ConstructCreateFilePartial
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$Failed to open contents file '%s'$Failed to read in ContentsFile->FileVersions$onecore\base\ntsetup\panther\engine\engine.cpp$pConstructContentsFile
                                                        • API String ID: 413641370-744104563
                                                        • Opcode ID: 7067bb2e2930ee8db61e4e3b1bbb2e2e31eacae501bc74c12595f27499fe3817
                                                        • Instruction ID: 3529bf70e551ac60721eef05b4bfa3b9d47f8bebe1de1a3fc0abc16ccc58acde
                                                        • Opcode Fuzzy Hash: 7067bb2e2930ee8db61e4e3b1bbb2e2e31eacae501bc74c12595f27499fe3817
                                                        • Instruction Fuzzy Hash: 4541C3F2A00218BFE7208F958D45FDE77BCEB45354F10059AFA0EAB188DA70AD458B75
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A90D Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 75windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • GetCurrentThreadId.KERNEL32 ref: 7036A935
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A944
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000063C,onecore\base\ntsetup\panther\engine\seq.c,SeqUnlockExecutionGroup,?,00000000), ref: 7036A97A
                                                        • SetEvent.KERNEL32(?), ref: 7036A98F
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A99B
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000647,onecore\base\ntsetup\panther\engine\seq.c,SeqUnlockExecutionGroup,?,00000000), ref: 7036A9D1
                                                        • LeaveCriticalSection.KERNEL32(?,00000000,00090000,70361E24,00000000,00000647,onecore\base\ntsetup\panther\engine\seq.c,SeqUnlockExecutionGroup,?,00000000), ref: 7036A9DA
                                                        Strings
                                                        • Attempt to use WdsUnlockExecutionGroup from another thread, xrefs: 7036A968
                                                        • SeqUnlockExecutionGroup, xrefs: 7036A94E, 7036A9A5
                                                        • Trying to unlock queue which is already unlocked! (SEQ4), xrefs: 7036A9BF
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036A953, 7036A9AA
                                                        • WdsUnlockExecutionGroup, xrefs: 7036A919
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup$CriticalCurrentEventLeaveSectionThread
                                                        • String ID: Attempt to use WdsUnlockExecutionGroup from another thread$SeqUnlockExecutionGroup$Trying to unlock queue which is already unlocked! (SEQ4)$WdsUnlockExecutionGroup$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 3140577030-548442725
                                                        • Opcode ID: b489a31af4594a53c2b6e9a59a63956482f114c3ccccdbff33279afa06a51a2e
                                                        • Instruction ID: ed1c80b1e569c3351c57a5840efdfbc8a381d126a9fc045c68cfd85ba7e34a2a
                                                        • Opcode Fuzzy Hash: b489a31af4594a53c2b6e9a59a63956482f114c3ccccdbff33279afa06a51a2e
                                                        • Instruction Fuzzy Hash: DE11E272748A04BEC70157729C0AEAF7A9CEB90250B328505F858DE188DB65F811D7B6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371ED0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 192memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsCollectionAddValue.WDSCORE(00000000,?,?,00000004,?,00000004,00000004,00000004,7038A8A0,00000038), ref: 70372090
                                                        • GetLastError.KERNEL32(00000000,?,?,00000004,00000004,00000004,00000000,?,?,00000004,?,00000004,00000004,00000004,7038A8A0,00000038), ref: 70372099
                                                        • GetLastError.KERNEL32(7038A8A0,00000038), ref: 70371EFD
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000C35,onecore\base\ntsetup\panther\engine\engine.cpp,WdsUnpackCollection,?,00000000,00000000,00000000), ref: 70371F38
                                                        • WdsAllocCollection.WDSCORE(7038A8A0,00000038), ref: 70371F45
                                                        • GetLastError.KERNEL32(00000004,00000004,00000000,?,?,00000004,?,00000004,00000004,00000004,7038A8A0,00000038), ref: 70371FE0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$Collection$AllocConstructMessagePartialSetupValue
                                                        • String ID: WdsUnPackCollection -- Data->Type != WDS_TYPE_PACKED_COLLECTION$WdsUnPackCollection -- Invalid type passed$WdsUnPackCollection -- couldn't add value$WdsUnpackCollection$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 2734257674-1791480980
                                                        • Opcode ID: be3f311fac5cced437cfe3bdc907d7d8c16556649adb2b677683d49ba9f47b87
                                                        • Instruction ID: fe8b22d53d1c20a573f922fd8bbc254f28694cb96e38d4c37b50e98debaa22e6
                                                        • Opcode Fuzzy Hash: be3f311fac5cced437cfe3bdc907d7d8c16556649adb2b677683d49ba9f47b87
                                                        • Instruction Fuzzy Hash: 28512172A00209AEDB05CFA5D986EDEB7B9EF08350F10911DF912BB254D778AD42CA60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036D602 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A520,0000002C,7036DDF8), ref: 7036D61C
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036D656
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000014,00000000,SeqExecute,?), ref: 7036D6BA
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000012A1,onecore\base\ntsetup\panther\engine\seq.c,SeqSerializeToFile,?,00000000,?,00000014,00000000,SeqExecute,?), ref: 7036D6F1
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,?,00000000,00090000,70361E24,00000000,000012A1,onecore\base\ntsetup\panther\engine\seq.c,SeqSerializeToFile,?,00000000,?,00000014), ref: 7036D713
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000012A5,onecore\base\ntsetup\panther\engine\seq.c,SeqSerializeToFile,70361E24,00000000,?,?,00000000,00090000,70361E24,00000000,000012A1), ref: 7036D74A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructPartialProcessmemset
                                                        • String ID: Saving Main Event Queue$Saving Permanent Event Queue$SeqSerializeToFile$SerializeToFile: %s$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 1676988407-1067163853
                                                        • Opcode ID: e6c075f0d00d0984a33e7b86063eb7c052fb4232000b81cf491aa90b304f7e5a
                                                        • Instruction ID: 6e1736e974d9201b3d8ba62c97bb443a58b1a5349db08f99c21667bf5f2ef7e9
                                                        • Opcode Fuzzy Hash: e6c075f0d00d0984a33e7b86063eb7c052fb4232000b81cf491aa90b304f7e5a
                                                        • Instruction Fuzzy Hash: BE413F71B40204BFEB00DF65DD82FAE77B9AF88614F104129FA06EF284DB74BD118665
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036D169 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A4C0,00000020,7037193A,?,?,?,?,?), ref: 7036D20F
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001190,onecore\base\ntsetup\panther\engine\seq.c,SeqPublishImmediateAsync,?,00000000), ref: 7036D255
                                                          • Part of subcall function 7036A0F7: GetLastError.KERNEL32(00000000,00000000,7038A240,00000020,7036D02C,00000000,?,7038A4A0,00000020,7036B7F3,SEQ Control,00000002,00000000,00000000), ref: 7036A134
                                                          • Part of subcall function 7036A0F7: WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036A16F
                                                          • Part of subcall function 7036A0F7: GetProcessHeap.KERNEL32(00000008,00000048,7038A240,00000020,7036D02C,00000000,?,7038A4A0,00000020,7036B7F3,SEQ Control,00000002,00000000,00000000), ref: 7036A17F
                                                          • Part of subcall function 7036A0F7: HeapAlloc.KERNEL32(00000000), ref: 7036A186
                                                          • Part of subcall function 7036A0F7: GetLastError.KERNEL32(00000000,00000000), ref: 7036A19D
                                                          • Part of subcall function 7036A0F7: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000003E4,onecore\base\ntsetup\panther\engine\seq.c,pConstructEvent,?,00000000), ref: 7036A23C
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,7038A4C0,00000020,7037193A,?,?,?,?,?), ref: 7036D281
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A4C0,00000020,7037193A,?,?,?,?,?), ref: 7036D2CE
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000116C,onecore\base\ntsetup\panther\engine\seq.c,SeqPublishImmediateAsync,?,00000000), ref: 7036D304
                                                        • SetLastError.KERNEL32(00000057,00000000,00090000,70361E24,00000000,0000116C,onecore\base\ntsetup\panther\engine\seq.c,SeqPublishImmediateAsync,?,00000000), ref: 7036D30B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructCriticalEnterPartialProcessSection
                                                        • String ID: Could not allocate event list item (SEQ16a)$SeqPublishImmediateAsync$SeqPublishImmediateAsync() -- MajorEvent and MinorEvent cannot be 0$WdsPublishImmediateAsync() -- Invalid event data submitted by '%s': %s$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 530838258-2271054066
                                                        • Opcode ID: 4601559eaea5c526533c28fed6a8596abc4042faab972e3e4b72b9d20df9ed56
                                                        • Instruction ID: 298bdf94ae8a49b258da8e8169ae7addeabe095c6bc7f0cdfb5436bbf4965092
                                                        • Opcode Fuzzy Hash: 4601559eaea5c526533c28fed6a8596abc4042faab972e3e4b72b9d20df9ed56
                                                        • Instruction Fuzzy Hash: 49413C75E00205AFDB00CFA5CD45AEE7BB9EF48250F20811AF915BB388DB75E911CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E018 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 91windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036E092
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,7036C8C0,7038A420,00000068,7036D07A,00000000,?,7038A4A0,00000020,7036B7F3), ref: 7036E058
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,7036C8C0,7038A420,00000068,7036D07A,00000000,?,7038A4A0,00000020,7036B7F3), ref: 7036E09E
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001419,onecore\base\ntsetup\panther\engine\seq.c,pExecuteSEQControlEvent,00000000,00000000,?,00000000,?,?,7036C8C0,7038A420,00000068), ref: 7036E0D4
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,7036C8C0,7038A420,00000068,7036D07A,00000000,?,7038A4A0,00000020,7036B7F3), ref: 7036E0E0
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001414,onecore\base\ntsetup\panther\engine\seq.c,pExecuteSEQControlEvent,00000000,00000000,?,00000000,?,?,7036C8C0,7038A420,00000068), ref: 7036E116
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructPartialProcessmemset
                                                        • String ID: SEQ EVENT_SERIALIZE Received$SEQ EVENT_SERIALIZE_BEFORE_EXIT Received. Will only save modules with persistent subscriptions!$Unknown SEQ Control Event received %d$onecore\base\ntsetup\panther\engine\seq.c$pExecuteSEQControlEvent
                                                        • API String ID: 1676988407-168388522
                                                        • Opcode ID: 6516c12b86276c7d753945008688cc641f07544c75d4e3ecb6b94106712ce262
                                                        • Instruction ID: ede363627682aae80f83cbbc694672a7eb17c7f3160f75c9b0d2e0d5d2177ec5
                                                        • Opcode Fuzzy Hash: 6516c12b86276c7d753945008688cc641f07544c75d4e3ecb6b94106712ce262
                                                        • Instruction Fuzzy Hash: 89215C737401047EE6101B674C0BEEF7E6CDF86658F108315FD08AF19DDA66B806A2B4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A841 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A865
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000060B,onecore\base\ntsetup\panther\engine\seq.c,SeqLockExecutionGroup,?,00000000), ref: 7036A89C
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetCurrentThreadId.KERNEL32 ref: 7036A8A8
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A8B5
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000610,onecore\base\ntsetup\panther\engine\seq.c,SeqLockExecutionGroup,?,00000000), ref: 7036A8E7
                                                          • Part of subcall function 7037F850: wcsrchr.MSVCRT ref: 7037F993
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 7037FA32
                                                          • Part of subcall function 7037F850: HeapFree.KERNEL32(00000000,?,?), ref: 7037FA39
                                                          • Part of subcall function 7037F850: GetCurrentThreadId.KERNEL32 ref: 7037FA56
                                                          • Part of subcall function 7037F850: GetMinorTask.WDSCORE ref: 7037FA72
                                                          • Part of subcall function 7037F850: GetMajorTask.WDSCORE ref: 7037FA7B
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 7036A8F8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$CriticalCurrentProcessSectionTaskThread$AllocConstructEnterFreeLeaveMajorMinorPartialmemsetwcsrchr
                                                        • String ID: Attempt to use SeqLockExecutionGroup from another thread$SeqLockExecutionGroup$SeqLockExecutionGroup: Initializing ExecQueue->csLock;$WdsLockExecutionGroup$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 1015650964-1884957159
                                                        • Opcode ID: f2ea2b5292168c42d3b1948ffd580839fca4e90a4b027144c43456a1245b3bb8
                                                        • Instruction ID: 733d7d72c53890df010e17325c8c7d961062c479761173e4644ee430cfa0d54c
                                                        • Opcode Fuzzy Hash: f2ea2b5292168c42d3b1948ffd580839fca4e90a4b027144c43456a1245b3bb8
                                                        • Instruction Fuzzy Hash: 59112173204514BFD61007629C4AFBF7A5CEB852A0F30460AFD09DE1C89B66BC1296BA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036DF4E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000013E5,onecore\base\ntsetup\panther\engine\seq.c,pHandleSerialize,?,00000000), ref: 7036DF9B
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetLastError.KERNEL32(00000000,00000000,7036DF30), ref: 7036DF62
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32(00000000,00000000,7036DF30), ref: 7036DFA6
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000013F6,onecore\base\ntsetup\panther\engine\seq.c,pHandleSerialize,?,00000000), ref: 7036DFDF
                                                        • WdsInitializeDataStringW.WDSCORE(?,C:\$Windows.~WS\Sources\Panther,00000000,00090000,70361E24,00000000,000013F6,onecore\base\ntsetup\panther\engine\seq.c,pHandleSerialize,?,00000000), ref: 7036DFF0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$AllocConstructDataInitializePartialProcessStringmemset
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$Queue Serialization Failed!$Queue Serialization Succeeded$SEQ Control$onecore\base\ntsetup\panther\engine\seq.c$pHandleSerialize
                                                        • API String ID: 131049550-2446819458
                                                        • Opcode ID: 1adbe8fd580c02f4791e6897e24927e593881f544aa2129a86c030e7005d6e0a
                                                        • Instruction ID: 2b886b15a9039ddcebd33eb84aa3566e6321e64fdf2c3c828a16511be442e798
                                                        • Opcode Fuzzy Hash: 1adbe8fd580c02f4791e6897e24927e593881f544aa2129a86c030e7005d6e0a
                                                        • Instruction Fuzzy Hash: 1901B9B1B011157EEB2057924C4EFEF7B6CEF44251F100289FA0CBD4C8DBB5A9819A34
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70381C15 Relevance: 18.9, APIs: 15, Instructions: 149memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32 ref: 70381C2D
                                                        • HeapAlloc.KERNEL32(00000000,00000000,?), ref: 70381C38
                                                        • GetProcessHeap.KERNEL32 ref: 70381C8F
                                                        • HeapAlloc.KERNEL32(00000000,00000000,?), ref: 70381C99
                                                        • memcpy.MSVCRT ref: 70381CB6
                                                        • GetProcessHeap.KERNEL32(00000000,00000008), ref: 70381CF0
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70381CF7
                                                        • GetProcessHeap.KERNEL32 ref: 70381D13
                                                        • HeapAlloc.KERNEL32(00000000,00000000), ref: 70381D20
                                                        • GetProcessHeap.KERNEL32(00000000,00000008), ref: 70381D3A
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70381D41
                                                        • GetProcessHeap.KERNEL32 ref: 70381D80
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 70381D8A
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 70381DA5
                                                        • HeapFree.KERNEL32(00000000), ref: 70381DAC
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$memcpy
                                                        • String ID:
                                                        • API String ID: 3081814080-0
                                                        • Opcode ID: 077361a9355108d72a2457886b4e00aefeda16527cb679ec47d41d5381c65219
                                                        • Instruction ID: b6622534a5c6929a82883e13346ff125db75cbac20aec89630d8fe4fed0e9872
                                                        • Opcode Fuzzy Hash: 077361a9355108d72a2457886b4e00aefeda16527cb679ec47d41d5381c65219
                                                        • Instruction Fuzzy Hash: 07513DB2900201DFCB15DFA5C888B9EBBB9FF48701F2145DAE906EB395D7309845CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D7B0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 152filewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037D823
                                                        • memset.MSVCRT ref: 7037D836
                                                        • GetLastError.KERNEL32 ref: 7037D913
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,7036548F,00000000,<unknown>,WdsLogStructuredException,?,00000000,?,?), ref: 7037D997
                                                        • UnmapViewOfFile.KERNEL32(?,00000000,00090000,70361E24,7036548F,00000000,<unknown>,WdsLogStructuredException,?,00000000,?,?), ref: 7037D9A7
                                                          • Part of subcall function 7037D556: memset.MSVCRT ref: 7037D57C
                                                          • Part of subcall function 7037D556: GetTempFileNameW.KERNEL32(C:\$Windows.~WS\Sources\Panther\,mnd,00000000,?,?,?,<unknown>), ref: 7037D59E
                                                          • Part of subcall function 7037D620: GetCurrentThreadId.KERNEL32 ref: 7037D685
                                                          • Part of subcall function 7037D620: GetCurrentProcessId.KERNEL32(?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D69A
                                                          • Part of subcall function 7037D620: GetCurrentProcess.KERNEL32(?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D6A2
                                                          • Part of subcall function 7037D620: GetFileSize.KERNEL32(000000FF,?,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D6D3
                                                          • Part of subcall function 7037D620: CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C), ref: 7037D6EA
                                                          • Part of subcall function 7037D620: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?), ref: 7037D6FD
                                                        Strings
                                                        • <unknown>, xrefs: 7037D7DC, 7037D980
                                                        • WdsLogStructuredException, xrefs: 7037D97B
                                                        • W6p, xrefs: 7037D959
                                                        • Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p). Minidump attached (%d bytes) to diagerr.xml and %s., xrefs: 7037D8FB
                                                        • Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p)., xrefs: 7037D909
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: File$Currentmemset$ProcessView$CreateErrorLastMappingMessageNameSetupSizeTempThreadUnmap
                                                        • String ID: <unknown>$Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p).$Exception (code 0x%08X: %s) occurred at 0x%p in %s (+%p). Minidump attached (%d bytes) to diagerr.xml and %s.$WdsLogStructuredException$W6p
                                                        • API String ID: 2016291896-1344386866
                                                        • Opcode ID: a4c26868af7cc3027fd61dfe53efe0c819c6e3dd52a573fb11275af70b283a7e
                                                        • Instruction ID: 61e2e0322f8cd953c12d4a93eac7099950531d9724b27e30366f90991ab81c2a
                                                        • Opcode Fuzzy Hash: a4c26868af7cc3027fd61dfe53efe0c819c6e3dd52a573fb11275af70b283a7e
                                                        • Instruction Fuzzy Hash: 725104F1A002189FCB50DF25CC84BDDB7B9AF48314F5041E9B609A7285DB74AE81CF68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703738CA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 266filesynchronizationwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexW.KERNEL32(00000000,00000001,?,7038AA78,00000040,70373899,00000000,?,?,?,?,?,?,?,?,?), ref: 70373907
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000231,onecore\base\ntsetup\panther\engine\bb.cpp,CConsistentFileMapping::Open,00000002,00000000,00000000,00000000,?,?,?,?,?), ref: 70373A3C
                                                        • GetFileSize.KERNEL32(?,?,?,?,?,?,?,?,?,?,Mtx,?,CFM,00000000,00000000,?), ref: 70373A91
                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,?,?,?,?,?,?,?,?,?,Mtx,?,CFM), ref: 70373B0B
                                                        • memset.MSVCRT ref: 70373B23
                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 70373B2C
                                                        Strings
                                                        • CConsistentFileMapping::Open, xrefs: 70373A21
                                                        • CConsistentFileMapping::Open: CreateFile failed., xrefs: 70373A0C
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70373A26
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: File$View$CreateMessageMutexSetupSizeUnmapmemset
                                                        • String ID: CConsistentFileMapping::Open$CConsistentFileMapping::Open: CreateFile failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 2715570292-1472106363
                                                        • Opcode ID: 92ec560b10afe59e47bff0357759d52f314d7d0e304fdfaf4a39dcbb9b647030
                                                        • Instruction ID: 2a3b3017338c03f1895ba6bb6540008f36d566a253140bd24523de342cf5c2f7
                                                        • Opcode Fuzzy Hash: 92ec560b10afe59e47bff0357759d52f314d7d0e304fdfaf4a39dcbb9b647030
                                                        • Instruction Fuzzy Hash: F3B1D7B6E01218DFDB05CF99C884AADBBB5FB48710F25815AE916B7390C779AD01CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036FBEF Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(7038DF40,7038A780,00000010,7036DD91), ref: 7036FC0C
                                                        • GetLastError.KERNEL32 ref: 7036FC1B
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                          • Part of subcall function 7036F64A: memset.MSVCRT ref: 7036F676
                                                          • Part of subcall function 7036E4A1: memset.MSVCRT ref: 7036E4C9
                                                          • Part of subcall function 7036E4A1: CreateFileW.KERNEL32(?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E515
                                                          • Part of subcall function 7036E4A1: GetLastError.KERNEL32(?,?,?,80000000,?,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther), ref: 7036E52A
                                                          • Part of subcall function 7036E4A1: WdsSetupLogMessageW.WDSCORE(00000000,?,00000003,08000080,?,?,?,00000001,C:\$Windows.~WS\Sources\Panther,?,?,?,SeqExecute,?), ref: 7036E55F
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000003A8,onecore\base\ntsetup\panther\engine\engine.cpp,EngineBeginSaveOperation,00000000,00000000,00000000,00000000), ref: 7036FC56
                                                        • GetLastError.KERNEL32 ref: 7036FC74
                                                        Strings
                                                        • C:\$Windows.~WS\Sources\Panther, xrefs: 7036FC12
                                                        • EngineBeginSaveOperation, xrefs: 7036FC3B, 7036FC94
                                                        • EngineBegineSaveOperation couldn't create contents file, xrefs: 7036FC7F
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 7036FC40, 7036FC99
                                                        • No working dir has been given to panther. Call WdsInitialize(ReInit=TRUE) to specify one, xrefs: 7036FC26
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetupmemset$ConstructCreateCriticalEnterFilePartialSection
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$EngineBeginSaveOperation$EngineBegineSaveOperation couldn't create contents file$No working dir has been given to panther. Call WdsInitialize(ReInit=TRUE) to specify one$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 2263869850-1552244131
                                                        • Opcode ID: f7f028141e4628c8154704f6edc7d3dea7880a2e346a7aa6bbae671e6440e2d6
                                                        • Instruction ID: 66c0cb874b5525c6f7891889e8e31cba5dfe20da7cf999499ffae75671ae6af3
                                                        • Opcode Fuzzy Hash: f7f028141e4628c8154704f6edc7d3dea7880a2e346a7aa6bbae671e6440e2d6
                                                        • Instruction Fuzzy Hash: 2621C872A042087EE7009BA28D42F9E377CDF40764F20425AFD419E2C8DB746C01A771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371100 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 78memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,pConstructEvent,?,?,7036A1F1,00000020,00000000), ref: 7037111F
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000794,onecore\base\ntsetup\panther\engine\engine.cpp,WdsDuplicateData,00000000,00000000,00000000,00000000,SeqExecute,?,00000000), ref: 7037115D
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,pConstructEvent,?,?,7036A1F1,00000020,00000000), ref: 7037117F
                                                        • HeapAlloc.KERNEL32(00000000,00000008,?,?,7036A1F1,00000020,00000000), ref: 70371189
                                                        • memcpy.MSVCRT ref: 703711A5
                                                        Strings
                                                        • WdsDuplicateData failed, invalid source data - %s, xrefs: 7037112A
                                                        • WdsDuplicateData, xrefs: 70371142
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 70371147
                                                        • pConstructEvent, xrefs: 70371106
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLastProcess$ConstructMessagePartialSetupmemcpymemset
                                                        • String ID: WdsDuplicateData$WdsDuplicateData failed, invalid source data - %s$onecore\base\ntsetup\panther\engine\engine.cpp$pConstructEvent
                                                        • API String ID: 1875294160-4160002273
                                                        • Opcode ID: 3653b70c21cf7ed93c4a01a386db548472d48d4a7e14cff82c099d5f4300767d
                                                        • Instruction ID: d78f704116fcdd4afb7682b96b7be6bd45fe40fe62218cada329b6ea9396013a
                                                        • Opcode Fuzzy Hash: 3653b70c21cf7ed93c4a01a386db548472d48d4a7e14cff82c099d5f4300767d
                                                        • Instruction Fuzzy Hash: F1216D72A00206FFDB108F9ACD8195EBBBDEF14250B11C52AFA5A9B350D774ED10CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378220 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 300synchronizationwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexW.KERNEL32(00000000,00000001,?,7038ACE8,00000034,703781EF,?,0000000A,?,00000001,Mtx,?,Storage,?,00000004,70378E78), ref: 7037829F
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000114E,onecore\base\ntsetup\panther\engine\bb.cpp,CStorage::Open,00000000,00000000,00000000,00000000), ref: 703783A9
                                                        • wcsrchr.MSVCRT ref: 70378509
                                                        • memcpy.MSVCRT ref: 7037855D
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                          • Part of subcall function 70374BBA: __EH_prolog3_GS.LIBCMT ref: 70374BC1
                                                        Strings
                                                        • CStorage::Open: m_pMapping->Create(%s) failed., xrefs: 70378410
                                                        • CStorage::Open, xrefs: 7037838D, 70378428
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70378392, 7037842D
                                                        • CStorage::Open: CConsistentMappingFactory::CreateObject failed., xrefs: 70378376
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ConstructCreateH_prolog3_MessageMutexPartialSetupmemcpywcsrchr
                                                        • String ID: CStorage::Open$CStorage::Open: CConsistentMappingFactory::CreateObject failed.$CStorage::Open: m_pMapping->Create(%s) failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 2076765893-1461207464
                                                        • Opcode ID: 51cd1fa7c488e03ab313c3fd1d24721fbb2f21c4de784dfd39b13d7940f2e042
                                                        • Instruction ID: fe40199b8f96d284354a5764f863d20e543f26337b043bc6d3998a6940d3d263
                                                        • Opcode Fuzzy Hash: 51cd1fa7c488e03ab313c3fd1d24721fbb2f21c4de784dfd39b13d7940f2e042
                                                        • Instruction Fuzzy Hash: 2FB17C76A00214EFDB058F55CC84BAD7BB5BF88321F258159E906AB391CB78ED02CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036D7AF Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 195windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,?,7038A540,00000428,7036DBF3,00000000,?,?,00000000,?,?,?), ref: 7036D858
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,?,?,00000000,?,?,?,00000000), ref: 7036D899
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 7036D980
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,0000131A,onecore\base\ntsetup\panther\engine\seq.c,pMergePersistentQueue,?,00000000,?,?,00000000,?,?,?,00000000), ref: 7036D9E6
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • pMergePersistentQueue - Prepending Group %d: %s, xrefs: 7036D886
                                                        • pMergePersistentQueue - processing Perm Event: (%s,%s) by: %s, xrefs: 7036D9D3
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036D86A, 7036D992
                                                        • pMergePersistentQueue, xrefs: 7036D865, 7036D98D
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$AllocConstructPartialProcessmemset
                                                        • String ID: onecore\base\ntsetup\panther\engine\seq.c$pMergePersistentQueue$pMergePersistentQueue - Prepending Group %d: %s$pMergePersistentQueue - processing Perm Event: (%s,%s) by: %s
                                                        • API String ID: 1384394582-567817693
                                                        • Opcode ID: f4e496e4692428f7d4f788e61fab78fc790ff9ea8b5babb943fed7f1f414b741
                                                        • Instruction ID: 32f46381d69b89d1ad1aa97ecad749d5837ec7e8b729b386f249dd33dbcc7574
                                                        • Opcode Fuzzy Hash: f4e496e4692428f7d4f788e61fab78fc790ff9ea8b5babb943fed7f1f414b741
                                                        • Instruction Fuzzy Hash: 82710CB5B002149FCB14CF64CD91B9DB3F9AF88210F5101D9E90AAB399DB30AE55CF58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70377A20 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 189windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3_GS.LIBCMT ref: 70377A2A
                                                          • Part of subcall function 703691E5: _vsnwprintf.MSVCRT ref: 7036920C
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000FAC,onecore\base\ntsetup\panther\engine\bb.cpp,CTypeManager::Open,70378EA3,00000000,00000000,00000000), ref: 70377C37
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                          • Part of subcall function 70372D9C: GetProcessHeap.KERNEL32(FFFFFFFE,FFFFFFFE,70377F57,F4FD9A64,00000000,00000000,70389909,000000FF,?,70378E36), ref: 70372DA8
                                                          • Part of subcall function 70372D9C: HeapFree.KERNEL32(00000000,00000000,FFFFFFFE,?,70378E36), ref: 70372DB2
                                                          • Part of subcall function 7037CDA0: GetProcessHeap.KERNEL32(F4FD9A64,03251AD0,00000000,70389CF9,000000FF,?,70382B13,?,7037F29D), ref: 7037CDCB
                                                          • Part of subcall function 7037CDA0: HeapFree.KERNEL32(00000000,00000000,03251AD0,?,70382B13,?,7037F29D), ref: 7037CDD5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Free$AllocErrorH_prolog3_LastMessageSetup_vsnwprintfmemset
                                                        • String ID: %I64x$%s.%s.spl$CTypeManager::Open$CTypeManager::Open: m_SpinLocks.Create(%s) failed$LBSM$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 381082179-1343276584
                                                        • Opcode ID: 71f4d2382f397c3b496258e9b7f659ae215db4bfeef1592e4b10ca9d367f32fc
                                                        • Instruction ID: d539e5b89bc77c5bf92271e9538637893c7b1a757944cb31c8422ef7f429699c
                                                        • Opcode Fuzzy Hash: 71f4d2382f397c3b496258e9b7f659ae215db4bfeef1592e4b10ca9d367f32fc
                                                        • Instruction Fuzzy Hash: 8B615F75A00209AFDF19CFA5CD81ADEBBB5FF48300F158159F806AB255E778AD05CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70369810 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 132windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 703698F5
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00000000,?,00000014,00000000,SeqExecute,?), ref: 703699CD
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Module '%s' with binary '%s' was prevented from loading by negative response to EVENT_LOADING_MODULE, xrefs: 7036991E
                                                        • pResolveBinaryName, xrefs: 70369902, 7036999E
                                                        • Module '%s' with binary '%s' was prevented from loading by improper use of EVENT_LOADING_MODULE's associated data, xrefs: 703699BA
                                                        • SEQ Control, xrefs: 703698D1
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 70369907, 703699A3
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructMessagePartialProcessSetupmemset
                                                        • String ID: Module '%s' with binary '%s' was prevented from loading by improper use of EVENT_LOADING_MODULE's associated data$Module '%s' with binary '%s' was prevented from loading by negative response to EVENT_LOADING_MODULE$SEQ Control$onecore\base\ntsetup\panther\engine\seq.c$pResolveBinaryName
                                                        • API String ID: 641720108-276506283
                                                        • Opcode ID: 8ed098c2da6815e2c672475f57a76866144a6ba3b93c34ec19ee12a9f7306635
                                                        • Instruction ID: 094d8f91a9a8a45ee2791abe7e7a5f123d9e672f5490ed0dfce9643727ae5fa6
                                                        • Opcode Fuzzy Hash: 8ed098c2da6815e2c672475f57a76866144a6ba3b93c34ec19ee12a9f7306635
                                                        • Instruction Fuzzy Hash: 02417571A01618AFEB20CB55CD45FDEB7BAABC4310F1041DAF909AB148DB36AE95CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037010B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 70370139
                                                          • Part of subcall function 7038322D: __EH_prolog3_catch.LIBCMT ref: 70383234
                                                          • Part of subcall function 7038322D: memcpy.MSVCRT ref: 703832DD
                                                        • GetLastError.KERNEL32(?,?), ref: 703701C4
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004B2,onecore\base\ntsetup\panther\engine\engine.cpp,pGetOfflineQueue,?,00000000,00000000,00000000,?,?,?), ref: 7037020F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorH_prolog3_catchLastMessageSetupmemcpymemset
                                                        • String ID: Failed to add group to offline queue '%s'$Failed to load offline queue '%s' from file '%s'$onecore\base\ntsetup\panther\engine\engine.cpp$pGetOfflineQueue
                                                        • API String ID: 4159790461-126881244
                                                        • Opcode ID: f1a2a141445089c48ab984f7ab6c7f59264e2fb43e5b4a3adee938c3ed95c245
                                                        • Instruction ID: 59f86be6bb96cce19d29fad58e68caeece4aa90578d4c80288ee627b08c13f0d
                                                        • Opcode Fuzzy Hash: f1a2a141445089c48ab984f7ab6c7f59264e2fb43e5b4a3adee938c3ed95c245
                                                        • Instruction Fuzzy Hash: 6A419472E01219AFDB10CF95CDC9A9DB7B8AB48610F1046DDE819AB284D774AE41CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703714F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037151A
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • CreateDirectoryW.KERNEL32(?,00000000,?), ref: 70371586
                                                        • GetLastError.KERNEL32 ref: 7037159B
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000936,onecore\base\ntsetup\panther\engine\engine.cpp,WdsGetTempDir,?,00000000,00000000,00000000), ref: 703715E0
                                                          • Part of subcall function 7036F945: memset.MSVCRT ref: 7036F96D
                                                          • Part of subcall function 7036F945: memset.MSVCRT ref: 7036F97B
                                                          • Part of subcall function 7036F945: GetLastError.KERNEL32 ref: 7036F98C
                                                          • Part of subcall function 7036F945: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000002D8,onecore\base\ntsetup\panther\engine\engine.cpp,pCreateCleanTempDir,?,00000000,00000000,00000000), ref: 7036F9C7
                                                        Strings
                                                        • C:\$Windows.~WS\Sources\Panther, xrefs: 7037153D
                                                        • Module Temp Directory %s is not useable, xrefs: 703715AD
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 703715CA
                                                        • WdsGetTempDir, xrefs: 70371522, 703715C5
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetupmemset$CreateDirectory
                                                        • String ID: C:\$Windows.~WS\Sources\Panther$Module Temp Directory %s is not useable$WdsGetTempDir$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 1814319221-703570280
                                                        • Opcode ID: 2a4f124ebf7846e78b02e4798ed93799b50df29a37d89d53d1b8c562359eecdc
                                                        • Instruction ID: b2b85e96e082776a89a5726a67f0c28b6e5496ed242191c4a918690095282f68
                                                        • Opcode Fuzzy Hash: 2a4f124ebf7846e78b02e4798ed93799b50df29a37d89d53d1b8c562359eecdc
                                                        • Instruction Fuzzy Hash: F231E872A00105AFDB10DFA8DD45B9E73FCEF58210F144599E806DB284E774EA45CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F64A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036F676
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,SeqExecute,?,00000000), ref: 7036F6EC
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000269,onecore\base\ntsetup\panther\engine\engine.cpp,pUpdateContentsFile,00000000,00000000,00000000,00000000), ref: 7036F72A
                                                          • Part of subcall function 7036F17D: GetProcessHeap.KERNEL32(00000008,00000430,7038A6C0,00000018,7036F6A0,00000000,que,SeqExecute,?,00000000), ref: 7036F1A5
                                                          • Part of subcall function 7036F17D: HeapAlloc.KERNEL32(00000000), ref: 7036F1AC
                                                        Strings
                                                        • pUpdateContentsFile, xrefs: 7036F70E
                                                        • que, xrefs: 7036F693
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 7036F713
                                                        • %s\%s%d.%s, xrefs: 7036F6CE
                                                        • pUpdateContentsFile StringCchPrintf failed, xrefs: 7036F6F7
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLastMessageProcessSetupmemset
                                                        • String ID: %s\%s%d.%s$onecore\base\ntsetup\panther\engine\engine.cpp$pUpdateContentsFile$pUpdateContentsFile StringCchPrintf failed$que
                                                        • API String ID: 1635166022-950476381
                                                        • Opcode ID: a7e6cf3abfab5f4b2b7fc7f3482d5308ad1420fd658dee7233d2ac83e23b871d
                                                        • Instruction ID: b916fc165f633a983664979ad41ce7e34be664ef50c9f7054a2ce75cde722790
                                                        • Opcode Fuzzy Hash: a7e6cf3abfab5f4b2b7fc7f3482d5308ad1420fd658dee7233d2ac83e23b871d
                                                        • Instruction Fuzzy Hash: 60219972B00211BFD7208BA49C85B9E73BCAF48660F20415AF956AB288DB74F905CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036B37F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60windowthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ResetEvent.KERNEL32(?,00000000,00000000,00000001,00000000,?,7036B525), ref: 7036B390
                                                        • GetLastError.KERNEL32(00000000,00000000,?,7036B525), ref: 7036B39E
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000009B1,onecore\base\ntsetup\panther\engine\seq.c,pStartWorkerThreads,7036B525,00000000,?,7036B525), ref: 7036B3D4
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • CreateThread.KERNEL32(00000000,00000000,7036B1E0,00000000,00000000,7036B525), ref: 7036B3EF
                                                        • LeaveCriticalSection.KERNEL32(0000006C), ref: 7036B40A
                                                        Strings
                                                        • Couldn't reset ExecQueue->hStopWorkerThreads, xrefs: 7036B3C2
                                                        • pStartWorkerThreads, xrefs: 7036B3A8
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036B3AD
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructCreateCriticalEventLeaveMessagePartialProcessResetSectionSetupThreadmemset
                                                        • String ID: Couldn't reset ExecQueue->hStopWorkerThreads$onecore\base\ntsetup\panther\engine\seq.c$pStartWorkerThreads
                                                        • API String ID: 493873544-2084349796
                                                        • Opcode ID: 7d3d222b2c3833a933f85aedb4a3d679bab7997ca64401dd920acfa8e3702a0a
                                                        • Instruction ID: b66b00a2893301c7e60191cfc764abae4088edbb499138bf0ed4a12625069895
                                                        • Opcode Fuzzy Hash: 7d3d222b2c3833a933f85aedb4a3d679bab7997ca64401dd920acfa8e3702a0a
                                                        • Instruction Fuzzy Hash: 3B01D477300115BFE60157B2DC8AEEF7A6DEF852A4B300116F90AD9055EFA0A80296B5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F466 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037F48D
                                                        • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\Setup\Panther,00000000,00020019,?,?,02000000,65000000), ref: 7037F4B8
                                                        • RegQueryValueExW.ADVAPI32(?,TelemetryAssertList,00000000,00000000,?,?,?,02000000,65000000), ref: 7037F4DD
                                                        • RegCloseKey.ADVAPI32(?,?,02000000,65000000), ref: 7037F4EE
                                                        • GetEnvironmentVariableW.KERNEL32(PANTHER_ENABLE_TELASSERT,?,00000104,?,02000000,65000000), ref: 7037F509
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CloseEnvironmentOpenQueryValueVariablememset
                                                        • String ID: PANTHER_ENABLE_TELASSERT$SYSTEM\Setup\Panther$TelemetryAssertList
                                                        • API String ID: 3483029746-3368635653
                                                        • Opcode ID: 68f78aa85daa5ee3856351c032fdbd748883990535a4bfbfad9c519d272229b1
                                                        • Instruction ID: 9caad764c2d18f584d6e9178753c5df674cdbf4bc47ac521e8006e4b299de80a
                                                        • Opcode Fuzzy Hash: 68f78aa85daa5ee3856351c032fdbd748883990535a4bfbfad9c519d272229b1
                                                        • Instruction Fuzzy Hash: D9114676A01228AFDB209F52CD8CFDF7B7CFB50760F1001E5A81DA6091D7749A45CAB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036D33D Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40synchronizationwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,00000000,7036D320), ref: 7036D348
                                                        • SetEvent.KERNEL32(?), ref: 7036D365
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036D377
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000011A6,onecore\base\ntsetup\panther\engine\seq.c,SeqPublishImmediateAsync,?,00000000), ref: 7036D3AD
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • LeaveCriticalSection.KERNEL32(?,7036D320), ref: 7036D3BF
                                                        Strings
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036D386
                                                        • Could not set ExecQueue->hProcessAsyncEvent, xrefs: 7036D39B
                                                        • SeqPublishImmediateAsync, xrefs: 7036D381
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructCriticalEventLeaveMessageObjectPartialProcessSectionSetupSingleWaitmemset
                                                        • String ID: Could not set ExecQueue->hProcessAsyncEvent$SeqPublishImmediateAsync$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2446074109-1191125883
                                                        • Opcode ID: 5c8572a5008e8618440b64ce5aa368924efa05779960137928bea9ceb001f61d
                                                        • Instruction ID: 1df8dc767ad4f58cb776e67d9e168bb26f9de4c3056243cd09a6d4d5d8a5210f
                                                        • Opcode Fuzzy Hash: 5c8572a5008e8618440b64ce5aa368924efa05779960137928bea9ceb001f61d
                                                        • Instruction Fuzzy Hash: 16F0F675A00100BEEB015F62CC89F9E3A7DAF55240F248169F906DE299DB619811DA66
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036C706 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 163windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7036C57B: GetProcessHeap.KERNEL32(00000008,00000018,00000000,?,00000000), ref: 7036C591
                                                          • Part of subcall function 7036C57B: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 7036C598
                                                        • LeaveCriticalSection.KERNEL32(?,7038A420,00000068), ref: 7036C7C7
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036C840
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,SeqExecute,?,00000000), ref: 7036C87B
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • CallSubscribers() -- invalid data given by subscription callback! The event's data won't be modified! (%s), xrefs: 7036C868
                                                        • CallSubscribers, xrefs: 7036C84A
                                                        • SEQ Control, xrefs: 7036C8A3
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036C84F
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$ErrorLast$AllocCriticalMessageProcessSectionSetup$ConstructEnterLeavePartialmemset
                                                        • String ID: CallSubscribers$CallSubscribers() -- invalid data given by subscription callback! The event's data won't be modified! (%s)$SEQ Control$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 3909829302-820090433
                                                        • Opcode ID: ba1a600b6859cf3bd5b8a4ac564f7781a52305707b249c510e436a3d825d043f
                                                        • Instruction ID: 573800b3ae5cfdc4780fa2f6448167f171afcce898fd9abf91b06cdc07a5254f
                                                        • Opcode Fuzzy Hash: ba1a600b6859cf3bd5b8a4ac564f7781a52305707b249c510e436a3d825d043f
                                                        • Instruction Fuzzy Hash: 6551F971E00609AFDB15CFA9C8416DDFBF5BF48310F10412AE919FB254EB71A906CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70374D12 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 70374DDD
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000065A,onecore\base\ntsetup\panther\engine\bb.cpp,CMemoryManager::InitializeMemMapsAsForNewFile,00000000,00000000,00000000,00000000), ref: 70374E50
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000652,onecore\base\ntsetup\panther\engine\bb.cpp,CMemoryManager::InitializeMemMapsAsForNewFile,00000000,00000000,00000000,00000000), ref: 70374ECE
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • CMemoryManager::InitializeMemMapsAsForNewFile: pFileMapping->MapViewOfFile failed., xrefs: 70374E98
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70374E39, 70374EB8
                                                        • CMemoryManager::InitializeMemMapsAsForNewFile: pFileMapping->UnmapViewOfFile failed., xrefs: 70374E19
                                                        • CMemoryManager::InitializeMemMapsAsForNewFile, xrefs: 70374E34, 70374EB3
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: HeapMessageSetupmemset$AllocConstructErrorLastPartialProcess
                                                        • String ID: CMemoryManager::InitializeMemMapsAsForNewFile$CMemoryManager::InitializeMemMapsAsForNewFile: pFileMapping->MapViewOfFile failed.$CMemoryManager::InitializeMemMapsAsForNewFile: pFileMapping->UnmapViewOfFile failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 1231272097-405556691
                                                        • Opcode ID: bdd96e46206abb05e7647b275d43be054e9a75450e73215f1819afacdde36b82
                                                        • Instruction ID: 75344e0b5141cb1b3661a650eb3cf6b30aa383c804b391532a412a4449df0f0d
                                                        • Opcode Fuzzy Hash: bdd96e46206abb05e7647b275d43be054e9a75450e73215f1819afacdde36b82
                                                        • Instruction Fuzzy Hash: 68411776F00205AFEB158B64CC95B6E77A9EB84360F15416DF912EB3C4D7F8BD018A90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036C57B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 145memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000018,00000000,?,00000000), ref: 7036C591
                                                        • HeapAlloc.KERNEL32(00000000,?,00000000), ref: 7036C598
                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000), ref: 7036C6BE
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000E7C,onecore\base\ntsetup\panther\engine\seq.c,pGetAllSubscriptions,00000000,00000000,?,00000000), ref: 7036C6F4
                                                          • Part of subcall function 7036C4E9: memset.MSVCRT ref: 7036C512
                                                        Strings
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036C6CD
                                                        • Could not allocate temporary subscription list (SEQ13), xrefs: 7036C6E2
                                                        • pGetAllSubscriptions, xrefs: 7036C6C8
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLastMessageProcessSetupmemset
                                                        • String ID: Could not allocate temporary subscription list (SEQ13)$onecore\base\ntsetup\panther\engine\seq.c$pGetAllSubscriptions
                                                        • API String ID: 1635166022-2880117949
                                                        • Opcode ID: 437f221d9e4affed60aaf3723625af7f3b3ef153ca33f4fbc026a8b20f250373
                                                        • Instruction ID: a00266595d4183223d47a138ab2ea4751824a38273cddfef30a6c5a8e6709df4
                                                        • Opcode Fuzzy Hash: 437f221d9e4affed60aaf3723625af7f3b3ef153ca33f4fbc026a8b20f250373
                                                        • Instruction Fuzzy Hash: F4411671B10205AFD705DFB6C885A7EB7BAAF88210B25856DE41B9F38DCB70EC018B54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A4D5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000028,7038A280,00000014,7036A787,?,00000000,7038A2C0,00000020,70370A1C), ref: 7036A4F4
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7036A4FB
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036A512
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004DC,onecore\base\ntsetup\panther\engine\seq.c,pConstructGroup,?,00000000), ref: 7036A548
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Could not allocate group list item (SEQ3), xrefs: 7036A536
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036A521
                                                        • pConstructGroup, xrefs: 7036A51C
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLastProcess$ConstructMessagePartialSetupmemset
                                                        • String ID: Could not allocate group list item (SEQ3)$onecore\base\ntsetup\panther\engine\seq.c$pConstructGroup
                                                        • API String ID: 1250887120-1355562884
                                                        • Opcode ID: 950816c2bb2b6deb431b12cf5dfee3cd35ee29a93722cd6d2a022edb5902a0ea
                                                        • Instruction ID: c248a9a15d6c5540e87b796bad2bb15111e10d3e8280d93e164bf9796fd10fc1
                                                        • Opcode Fuzzy Hash: 950816c2bb2b6deb431b12cf5dfee3cd35ee29a93722cd6d2a022edb5902a0ea
                                                        • Instruction Fuzzy Hash: 7A2171B2E007059FDB14CFA5C805A9EB7F5EF48310F20455AE956AB384DB35E901CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371800 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 69windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 7037182B
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • GetLastError.KERNEL32 ref: 7037187A
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000009F2,onecore\base\ntsetup\panther\engine\engine.cpp,WdsPublishOffline,?,00000000,00000000,00000000), ref: 703718B6
                                                          • Part of subcall function 7037010B: memset.MSVCRT ref: 70370139
                                                        Strings
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 70371853, 703718A0
                                                        • Invalid Queue Name '%s' specified to WdsPublishOffline, xrefs: 70371832
                                                        • WdsPublishOffline - must provide an actual group name, not NULL or WDS_CURRENT_GROUP, xrefs: 70371880
                                                        • WdsPublishOffline, xrefs: 7037184E, 7037189B
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$ConstructMessagePartialSetupmemset
                                                        • String ID: Invalid Queue Name '%s' specified to WdsPublishOffline$WdsPublishOffline$WdsPublishOffline - must provide an actual group name, not NULL or WDS_CURRENT_GROUP$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 279190697-2652601223
                                                        • Opcode ID: 6d4f406d02c6d0f05b1e7967f4001afa3f734f19dc5cc1be3101a1c946ebd360
                                                        • Instruction ID: 5f08d921586d8135247b4cf8a41d119d81b38bb90d87223dc84f3f62f36b8ba9
                                                        • Opcode Fuzzy Hash: 6d4f406d02c6d0f05b1e7967f4001afa3f734f19dc5cc1be3101a1c946ebd360
                                                        • Instruction Fuzzy Hash: CB112733640105BFEB144A658C4BFAF3A6DCB80720F20831DFD255E2C4EBB5AC12A7A5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70369A09 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 65windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,70369D95,00000001,?,?,?,7038A1C0,0000000C,70370A8C,?,?,?), ref: 70369A45
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000001E9,onecore\base\ntsetup\panther\engine\seq.c,ValidateModule,00000000,00000000,?,70369D95,00000001,?,?,?,7038A1C0), ref: 70369A7F
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 70369AAA
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • ValidateModule, xrefs: 70369A4F
                                                        • A Module did not subscribe to any events, so it was unloaded., xrefs: 70369A6D
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 70369A54
                                                        • Module '%s' did not subscribe to any events, so it was unloaded., xrefs: 70369A97
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLastMessageSetup$AllocConstructPartialProcessmemset
                                                        • String ID: A Module did not subscribe to any events, so it was unloaded.$Module '%s' did not subscribe to any events, so it was unloaded.$ValidateModule$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 4256035297-468423868
                                                        • Opcode ID: d1398b57d19dd976ea3c2516b6b0062f6efa55741553423c95501be7078a1698
                                                        • Instruction ID: 9b7f72d764fd1d01a30236efbf52dbda49f74fa37c63b40dfe02d9ec36084816
                                                        • Opcode Fuzzy Hash: d1398b57d19dd976ea3c2516b6b0062f6efa55741553423c95501be7078a1698
                                                        • Instruction Fuzzy Hash: 3501E532A106103FC62156569C06EAF7AFD8B81620B11834EFC599F28CEB51FC018695
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A020 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • WdsSeqAlloc.WDSCORE(00000000,?), ref: 7036A059
                                                          • Part of subcall function 703710C0: GetProcessHeap.KERNEL32(00000008,?,?,7036A05E,00000000,?), ref: 703710D5
                                                          • Part of subcall function 703710C0: HeapAlloc.KERNEL32(00000000,?,7036A05E,00000000,?), ref: 703710DC
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,?), ref: 7036A06A
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000373,onecore\base\ntsetup\panther\engine\seq.c,WdsInitializeCallbackArray,?,00000000), ref: 7036A0A0
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • memcpy.MSVCRT ref: 7036A0AE
                                                        Strings
                                                        • WdsInitializeCallbackArray, xrefs: 7036A025, 7036A074
                                                        • Could not alloc memory in WdsInitializeCallbackArray, xrefs: 7036A08E
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036A079
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLast$MessageProcessSetup$ConstructPartialmemcpymemset
                                                        • String ID: Could not alloc memory in WdsInitializeCallbackArray$WdsInitializeCallbackArray$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2571315102-1402800266
                                                        • Opcode ID: 110fe1adae9bf5624265b8e15e5b7e815a4aa597ab9ef91e288e3103585697a6
                                                        • Instruction ID: 81aaf0089b6d9ae8b7425137534c7174d3d255bfff53bf96b33de1ded364bcff
                                                        • Opcode Fuzzy Hash: 110fe1adae9bf5624265b8e15e5b7e815a4aa597ab9ef91e288e3103585697a6
                                                        • Instruction Fuzzy Hash: 2D01D4B2600705BFE7105B758C46EAF36EDEB84294F11482AFA19DA144EA72EC108671
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036BCCA Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54memorywindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,00000028,00000000,00000000,?,7036C666,?,00000000,00000000,?,00000000), ref: 7036BCD7
                                                        • HeapAlloc.KERNEL32(00000000,?,7036C666,?,00000000,00000000,?,00000000), ref: 7036BCDE
                                                        • GetLastError.KERNEL32(00000000,00000000,?,7036C666,?,00000000,00000000,?,00000000), ref: 7036BCEE
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000C1B,onecore\base\ntsetup\panther\engine\seq.c,pCopySubscription,00000000,00000000,?,7036C666,?,00000000,00000000,?,00000000), ref: 7036BD24
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • pCopySubscription, xrefs: 7036BCF8
                                                        • Failed to allocate memory for copy of subscription (SEQ8), xrefs: 7036BD12
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036BCFD
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocErrorLastProcess$ConstructMessagePartialSetupmemset
                                                        • String ID: Failed to allocate memory for copy of subscription (SEQ8)$onecore\base\ntsetup\panther\engine\seq.c$pCopySubscription
                                                        • API String ID: 1250887120-3615271908
                                                        • Opcode ID: ad7806d727c9b70a1a5a05a7ce15a57dd2d5aad9166fd21df459ffecc9ae6a48
                                                        • Instruction ID: 261743c1fc1174a5b2094b3f0b594d34d1623a58e174f0e15b89f3659e88d796
                                                        • Opcode Fuzzy Hash: ad7806d727c9b70a1a5a05a7ce15a57dd2d5aad9166fd21df459ffecc9ae6a48
                                                        • Instruction Fuzzy Hash: 230149733002007FE3140B669C8AF9F7AADEB95370F208519F908DE189DA61DC8196B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70382C50 Relevance: 12.0, APIs: 8, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsLogRegisterProvider.WDSCORE(70368130,70382610,7037EB72), ref: 70382C5A
                                                          • Part of subcall function 70382960: GetProcessHeap.KERNEL32(00000000,00000018,?,00000000,03251AF0,?,?,70382C5F,70368130,70382610,7037EB72), ref: 703829F7
                                                          • Part of subcall function 70382960: HeapAlloc.KERNEL32(00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 703829FE
                                                          • Part of subcall function 70382960: GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 70382A2B
                                                          • Part of subcall function 70382960: HeapFree.KERNEL32(00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 70382A32
                                                        • WdsLogRegisterProvider.WDSCORE(70368140,70382650,70368130,70382610,7037EB72), ref: 70382C69
                                                        • WdsLogRegisterProvider.WDSCORE(70368160,70382700,70368140,70382650,70368130,70382610,7037EB72), ref: 70382C78
                                                        • WdsLogRegisterProvider.WDSCORE(70368170,703827A0,70368160,70382700,70368140,70382650,70368130,70382610,7037EB72), ref: 70382C87
                                                        • WdsLogRegisterProvider.WDSCORE(70368100,703827D0,70368170,703827A0,70368160,70382700,70368140,70382650,70368130,70382610,7037EB72), ref: 70382C96
                                                        • WdsLogRegisterProvider.WDSCORE(70368120,70382810,70368100,703827D0,70368170,703827A0,70368160,70382700,70368140,70382650,70368130,70382610,7037EB72), ref: 70382CA5
                                                        • WdsLogRegisterProvider.WDSCORE(70368110,703828B0,70368120,70382810,70368100,703827D0,70368170,703827A0,70368160,70382700,70368140,70382650,70368130,70382610,7037EB72), ref: 70382CB4
                                                        • WdsLogRegisterProvider.WDSCORE(70368150,703825B0,70368110,703828B0,70368120,70382810,70368100,703827D0,70368170,703827A0,70368160,70382700,70368140,70382650,70368130,70382610), ref: 70382CC3
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ProviderRegister$Heap$Process$AllocFree
                                                        • String ID:
                                                        • API String ID: 680546924-0
                                                        • Opcode ID: 85784bd69953e2db0f0ccae19209739c77241166ac9b2b8ad4c87d9a04ccbb8d
                                                        • Instruction ID: 7a61d5f0d653594ee382430306bdb7ed2d78cb37bffb7f1d7ca2add8dfe397b6
                                                        • Opcode Fuzzy Hash: 85784bd69953e2db0f0ccae19209739c77241166ac9b2b8ad4c87d9a04ccbb8d
                                                        • Instruction Fuzzy Hash: 84E09B79B51008B9CA402BA2CD92FCD04C03B0A516F100BE5FCD1BC5CAAB427073103E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70382CE0 Relevance: 12.0, APIs: 8, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368110,7037F219,?,7037F29D), ref: 70382CE5
                                                          • Part of subcall function 70382A60: __EH_prolog3.LIBCMT ref: 70382A67
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368100,70368110,7037F219,?,7037F29D), ref: 70382CEF
                                                          • Part of subcall function 70382A60: GetProcessHeap.KERNEL32(00000000,00000000,00000000,70382CEA,70368110,7037F219,?,7037F29D), ref: 70382ADF
                                                          • Part of subcall function 70382A60: HeapFree.KERNEL32(00000000,?,7037F29D), ref: 70382AE6
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382CF9
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368160,70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382D03
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368170,70368160,70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382D0D
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368140,70368170,70368160,70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382D17
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368130,70368140,70368170,70368160,70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382D21
                                                        • WdsLogUnRegisterProvider.WDSCORE(70368150,70368130,70368140,70368170,70368160,70368120,70368100,70368110,7037F219,?,7037F29D), ref: 70382D2B
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ProviderRegister$Heap$FreeH_prolog3Process
                                                        • String ID:
                                                        • API String ID: 219115384-0
                                                        • Opcode ID: 1fc88074b37cd9dbba68f1e2fefdd79d567b57b8953f3f3206d9282a0ac4223b
                                                        • Instruction ID: f05bf8ffdbc007939328cc298fa6a158eda421f2a53b3efc14762c99190ea622
                                                        • Opcode Fuzzy Hash: 1fc88074b37cd9dbba68f1e2fefdd79d567b57b8953f3f3206d9282a0ac4223b
                                                        • Instruction Fuzzy Hash: F3D0B668B61008A8CA68A7B18D93E8E04C02F0A0067000BA0F8C2AC1888F08B2D3103A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70379061 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 454windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcsicmp.MSVCRT ref: 70379268
                                                          • Part of subcall function 703771C1: memcpy.MSVCRT ref: 70377281
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001410,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::FindValue,00000002,00000000,00000000,00000000), ref: 70379351
                                                        • memcpy.MSVCRT ref: 7037953E
                                                        Strings
                                                        • CBlackboard::FindValue, xrefs: 70379336
                                                        • CBlackboard::FindValue: negative lock count., xrefs: 70379321
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 7037933B
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: memcpy$MessageSetup_wcsicmp
                                                        • String ID: CBlackboard::FindValue$CBlackboard::FindValue: negative lock count.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 1196335949-691782960
                                                        • Opcode ID: 62edda673df6bdfd4dd548cd3aca740812976b7f930cbf6707e3ccb00f9c8f0c
                                                        • Instruction ID: cc08d5df3613f48e3ffce50fdc14757047dd555eb35c6ab0c36bebf9f703bfce
                                                        • Opcode Fuzzy Hash: 62edda673df6bdfd4dd548cd3aca740812976b7f930cbf6707e3ccb00f9c8f0c
                                                        • Instruction Fuzzy Hash: 39022C71A002299FDB25CF24CD90BDDB7B9BF49310F11969EE94AA7250D734AE81CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378A28 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 229synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReleaseMutex.KERNEL32(70378EA3,?,?,?,?,?,?,?,?,70378EA3), ref: 70378CAD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MutexRelease
                                                        • String ID: DRBK$DRBK$LBSM$LBSM$LBSMDRBK
                                                        • API String ID: 1638419-3820509818
                                                        • Opcode ID: cb16a6ae1862d8de43f309f7039285ad6b31c3318f9f5e83429c0ccb535f76c6
                                                        • Instruction ID: 361d8bbdeeecc600ddb649a9d306e4cc25bca99c4e6e385296d6b21cb4e22355
                                                        • Opcode Fuzzy Hash: cb16a6ae1862d8de43f309f7039285ad6b31c3318f9f5e83429c0ccb535f76c6
                                                        • Instruction Fuzzy Hash: 6C9118B590061ADFCB15CF59C9C09ADBBB9FF48314B61816EE406A7751C734AE42CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70388AE8 Relevance: 10.7, APIs: 7, Instructions: 159sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(000003E8,?,00000000), ref: 70388B3C
                                                        • _amsg_exit.MSVCRT ref: 70388B61
                                                        • free.MSVCRT(03251588,?,00000000), ref: 70388BC5
                                                        • Sleep.KERNEL32(000003E8,?,00000000), ref: 70388C25
                                                        • _amsg_exit.MSVCRT ref: 70388C4C
                                                        • _initterm.MSVCRT ref: 70388C7C
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 70388CA1
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Sleep_amsg_exit$CurrentImageNonwritable_inittermfree
                                                        • String ID:
                                                        • API String ID: 2616854937-0
                                                        • Opcode ID: 2629feeb40781f2e06972d87ce1f18988497bea99adb7577af80be069ee74c43
                                                        • Instruction ID: 9ab65419222211b23826a6990d18dd2a2cae5dadcd475a6c8dc99845d1af3e02
                                                        • Opcode Fuzzy Hash: 2629feeb40781f2e06972d87ce1f18988497bea99adb7577af80be069ee74c43
                                                        • Instruction Fuzzy Hash: FB51A176A002069FCB06CF26C940A5DB7BAFB84350B3184FEE557AB2D4DB308941DB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378E51 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 100windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70378185: __EH_prolog3.LIBCMT ref: 7037818C
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001352,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::Open,?,00000000,00000000,00000000), ref: 70378F00
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001356,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::Open,?,00000000,00000000,00000000), ref: 70378F5E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetup$H_prolog3
                                                        • String ID: CBlackboard::Open$CBlackboard::Open: %s succeeded.$CBlackboard::Open: m_Storage.CreateType(%s) failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 3417531035-3170103080
                                                        • Opcode ID: 5d55e39e05c7fef73670cda0de64bc505b6b05fbd7fb25dc85cebe75f6624942
                                                        • Instruction ID: ae483615f87c108bc92dff8c25ffb91f98ee76ea240bd42d67e93909f29ffebc
                                                        • Opcode Fuzzy Hash: 5d55e39e05c7fef73670cda0de64bc505b6b05fbd7fb25dc85cebe75f6624942
                                                        • Instruction Fuzzy Hash: D9212972B401187FDB105B258C41EAF3B6EEB45264F154126FD45EF280EB69EC12D7A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037DA70 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037DAA7
                                                        • GetLastError.KERNEL32 ref: 7037DB42
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,7036548F,00000000,<unknown>,WdsVectoredExceptionHandler,?,00000000,00000000,00000000), ref: 7037DBA6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetupmemset
                                                        • String ID: <unknown>$Exception (code 0x%08X: %s) occurred at 0x%p in %s.$WdsVectoredExceptionHandler
                                                        • API String ID: 3386021540-292395106
                                                        • Opcode ID: 968dc859969f682c4713986dcb94eccc81caf5fbf7d6a2fe67a6928de13216f5
                                                        • Instruction ID: 1618d42de52ef8b09911956c442e432d6d219bff3f1e21f1a9dab52d27a83e2f
                                                        • Opcode Fuzzy Hash: 968dc859969f682c4713986dcb94eccc81caf5fbf7d6a2fe67a6928de13216f5
                                                        • Instruction Fuzzy Hash: D931C671A00215AFDB04DF618CC5BAE77B9FB88310F2581AEE90BAB290D735AD41DF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036BB00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7036BB2E
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 7036BBB8
                                                        • GetProcAddress.KERNEL32(00000000,SetThreadPreferredUILanguages), ref: 7036BBC8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup$AddressCriticalEnterHandleModuleProcSectionmemset
                                                        • String ID: SetThreadPreferredUILanguages$kernel32.dll$pSetUILanguage
                                                        • API String ID: 1155449522-3889521995
                                                        • Opcode ID: c9def60011a5e3c76be6cc2ec44a4fd95a10168e6d68a1f6d6f65faa868d4b8b
                                                        • Instruction ID: 2650268d9515b912d6960ed4af856e02e02d45ced8b6e2cc49b39fa3280a55db
                                                        • Opcode Fuzzy Hash: c9def60011a5e3c76be6cc2ec44a4fd95a10168e6d68a1f6d6f65faa868d4b8b
                                                        • Instruction Fuzzy Hash: AC21F272A002219FDB119FA0C985BAE73B9EF50610F1101A9E8079B29CDF31EE81CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037FFA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 7037FFBC
                                                        • FormatMessageA.KERNEL32(00000900,00000000,00000400,00000000,00000000,?), ref: 70380015
                                                        • LocalFree.KERNEL32(00000000), ref: 7038007B
                                                        • SetLastError.KERNEL32(00000000), ref: 7038008B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$FormatFreeLocalMessage
                                                        • String ID: %*s$Log: Failed To Get Msg From ID
                                                        • API String ID: 2740663437-1979155585
                                                        • Opcode ID: 3871bb0229ec444755ddda8320acb66dd71f0492f9599dae3b767d78da0b5d32
                                                        • Instruction ID: a738eab0c89e419ac77a268fc06d3a47f4352b9d415a0181eca04f2a36f5806c
                                                        • Opcode Fuzzy Hash: 3871bb0229ec444755ddda8320acb66dd71f0492f9599dae3b767d78da0b5d32
                                                        • Instruction Fuzzy Hash: 48219CB6200704AFD7229B66CC44B6FBBF9AB84310F25849DE997CB294D735E9018B60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A9EF Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 81threadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7036942E: GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 7036942E: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7036942E: EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        • GetCurrentThreadId.KERNEL32 ref: 7036AA23
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036AA36
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000066B,onecore\base\ntsetup\panther\engine\seq.c,SeqGetCurrentExecutionGroup,?,00000000), ref: 7036AA6C
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Attempt to use SeqGetCurrentExecutionGroup from another thread, xrefs: 7036AA5A
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036AA45
                                                        • SeqGetCurrentExecutionGroup, xrefs: 7036AA07, 7036AA40
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$MessageSetup$Heap$AllocConstructCriticalCurrentEnterPartialProcessSectionThreadmemset
                                                        • String ID: Attempt to use SeqGetCurrentExecutionGroup from another thread$SeqGetCurrentExecutionGroup$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2337866241-975318247
                                                        • Opcode ID: 55ca79f53ed00e6b337cd25f2c5e0dd05ecbfff2492c85acddb66a2cbbac8e2f
                                                        • Instruction ID: fb9c186b7273363e57d61d296af8290a48902a5bfcc72888b108a69970fdeaa5
                                                        • Opcode Fuzzy Hash: 55ca79f53ed00e6b337cd25f2c5e0dd05ecbfff2492c85acddb66a2cbbac8e2f
                                                        • Instruction Fuzzy Hash: 2621D671600A05AFDB05CFA6C941AAEB7B5EF85300B11851EE8529F398DB75A802CB64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D556 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • memset.MSVCRT ref: 7037D57C
                                                        • GetTempFileNameW.KERNEL32(C:\$Windows.~WS\Sources\Panther\,mnd,00000000,?,?,?,<unknown>), ref: 7037D59E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: FileNameTempmemset
                                                        • String ID: <unknown>$C:\$Windows.~WS\Sources\Panther\$diagerr.mdmp$mnd
                                                        • API String ID: 3564516187-190422775
                                                        • Opcode ID: 8334dfde1b47d8da457e8c081dda4f1e53fcac24f88da1b14c57ddc2a18fd927
                                                        • Instruction ID: 27936485467a6b06dd3dae7e02591751594739d6a9fc383c44020c9ef56f4656
                                                        • Opcode Fuzzy Hash: 8334dfde1b47d8da457e8c081dda4f1e53fcac24f88da1b14c57ddc2a18fd927
                                                        • Instruction Fuzzy Hash: 8B11827170021D9FDB10D725CD89FDE77BCAB44214F6086A9E91AE61C0EB74EA458BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E6FA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 60windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 7036E748
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00000014,7036F5DE,7036F5A2,?,?,?,SeqExecute,?), ref: 7036E783
                                                        Strings
                                                        • The header for '%s' couldn't be written, xrefs: 7036E770
                                                        • onecore\base\ntsetup\panther\engine\objectfile.c, xrefs: 7036E757
                                                        • OF_Close, xrefs: 7036E752
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup
                                                        • String ID: OF_Close$The header for '%s' couldn't be written$onecore\base\ntsetup\panther\engine\objectfile.c
                                                        • API String ID: 2111701876-4043689975
                                                        • Opcode ID: 5e1dff2f63065b63d5ddcedd2cdb4620983053e82bd5cf89eebe08d61f38cb52
                                                        • Instruction ID: 20e567fc4d2caeb57a96837c745b48366422f0144a1493a30a883d6fda521d11
                                                        • Opcode Fuzzy Hash: 5e1dff2f63065b63d5ddcedd2cdb4620983053e82bd5cf89eebe08d61f38cb52
                                                        • Instruction Fuzzy Hash: 17117F75A00205EFDB11CFA5CC00ADEB7F8FF54215F20472EE8A1AA294D7766906DF20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036D564 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703702C5: GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703702C5: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                        • GetLastError.KERNEL32(00000000,00000000,7038A500,0000000C,70371C45), ref: 7036D5A1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001266,onecore\base\ntsetup\panther\engine\seq.c,SeqDeleteEvent,?,00000000), ref: 7036D5D7
                                                        Strings
                                                        • SeqDeleteEvent, xrefs: 7036D5AB
                                                        • WdsDeleteEvent - must pass in a WDS_QUEUE_POSITION from the iteration callback only!, xrefs: 7036D5C5
                                                        • WdsDeleteEvent, xrefs: 7036D572
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036D5B0
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup
                                                        • String ID: SeqDeleteEvent$WdsDeleteEvent$WdsDeleteEvent - must pass in a WDS_QUEUE_POSITION from the iteration callback only!$onecore\base\ntsetup\panther\engine\seq.c
                                                        • API String ID: 2111701876-2623594507
                                                        • Opcode ID: 1ee6670786bd907bc0c82a71e1f3ea2ac0d0ac6625bddfea89e1905e04fc4846
                                                        • Instruction ID: 326d104604de255a7ca2354d3d0e0ab4b2476d1c38ee57d91f278c5ed22cc42e
                                                        • Opcode Fuzzy Hash: 1ee6670786bd907bc0c82a71e1f3ea2ac0d0ac6625bddfea89e1905e04fc4846
                                                        • Instruction Fuzzy Hash: A001FC72F00200BED71197655C02EBF73B8DBC5614F20431EF9639E5C8DF3558029620
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371A30 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsDuplicateData.WDSCORE(00000000,00000000), ref: 70371A48
                                                          • Part of subcall function 70371100: GetLastError.KERNEL32(00000000,00000000,pConstructEvent,?,?,7036A1F1,00000020,00000000), ref: 7037111F
                                                          • Part of subcall function 70371100: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000794,onecore\base\ntsetup\panther\engine\engine.cpp,WdsDuplicateData,00000000,00000000,00000000,00000000,SeqExecute,?,00000000), ref: 7037115D
                                                        • GetLastError.KERNEL32(?,00000000,00000000), ref: 70371A52
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000A8D,onecore\base\ntsetup\panther\engine\engine.cpp,WdsEnableExitEx,?,00000000,00000000,00000000,?,00000000,00000000), ref: 70371A8E
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • WdsEnableExitEx couldn't duplicate exit data, xrefs: 70371A58
                                                        • WdsEnableExitEx, xrefs: 70371A73
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 70371A78
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$AllocConstructDataDuplicatePartialProcessmemset
                                                        • String ID: WdsEnableExitEx$WdsEnableExitEx couldn't duplicate exit data$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 150671164-143871502
                                                        • Opcode ID: 76267f54a02c3f6248721cdadd23ea9d62c46e3491e2d3c929311dbad4885cd8
                                                        • Instruction ID: 121cc27f7f5d65cf68de0035ce11ee514f87ff91f3e83d2b40981966c38673f0
                                                        • Opcode Fuzzy Hash: 76267f54a02c3f6248721cdadd23ea9d62c46e3491e2d3c929311dbad4885cd8
                                                        • Instruction Fuzzy Hash: BEF090736403057FEB049B66CC4AFEF33AD9B50251F11C219F90A5E294EBB8E841D764
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371AD0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsDuplicateData.WDSCORE(00000000,00000000), ref: 70371AE8
                                                          • Part of subcall function 70371100: GetLastError.KERNEL32(00000000,00000000,pConstructEvent,?,?,7036A1F1,00000020,00000000), ref: 7037111F
                                                          • Part of subcall function 70371100: WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000794,onecore\base\ntsetup\panther\engine\engine.cpp,WdsDuplicateData,00000000,00000000,00000000,00000000,SeqExecute,?,00000000), ref: 7037115D
                                                        • GetLastError.KERNEL32(?,00000000,00000000), ref: 70371AF2
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000AA8,onecore\base\ntsetup\panther\engine\engine.cpp,WdsExitImmediatelyEx,?,00000000,00000000,00000000,?,00000000,00000000), ref: 70371B2E
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 70371B18
                                                        • WdsExitImmediatelyEx, xrefs: 70371B13
                                                        • WdsExitImmediatelyEx couldn't duplicate exit data, xrefs: 70371AF8
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$HeapMessageSetup$AllocConstructDataDuplicatePartialProcessmemset
                                                        • String ID: WdsExitImmediatelyEx$WdsExitImmediatelyEx couldn't duplicate exit data$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 150671164-3273526756
                                                        • Opcode ID: ca6c5512078c9a9e0e60796486c2aff44ff3b7f123cfa43f8bfebe1c14f23a61
                                                        • Instruction ID: d5c9ecdc33fd86abece0800cdaf69c1611592861e62c6c5d0ab126db90e2d608
                                                        • Opcode Fuzzy Hash: ca6c5512078c9a9e0e60796486c2aff44ff3b7f123cfa43f8bfebe1c14f23a61
                                                        • Instruction Fuzzy Hash: DAF090336402047FEB049B66CC4AFEE33ADDB54251F108219FA465E294EBF8A851DB64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703702C5 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,7036A02F), ref: 703702D7
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000004D5,onecore\base\ntsetup\panther\engine\engine.cpp,IsWorkQueueAccessible,?,00000000,00000000,00000000), ref: 70370315
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • WdsInitializeCallbackArray, xrefs: 703702DD
                                                        • Function %s was called, but the panther work queue is not running!, xrefs: 703702DE
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 703702FF
                                                        • IsWorkQueueAccessible, xrefs: 703702FA
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructMessagePartialProcessSetupmemset
                                                        • String ID: Function %s was called, but the panther work queue is not running!$IsWorkQueueAccessible$WdsInitializeCallbackArray$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 641720108-1908150490
                                                        • Opcode ID: d2a49a9b93c6f717899120bf347088d51748736f41ec150014369f676dd83276
                                                        • Instruction ID: 67c8319f2adbbab4a68bb6247cb36562009599c6061f9e3723de194e48ce811b
                                                        • Opcode Fuzzy Hash: d2a49a9b93c6f717899120bf347088d51748736f41ec150014369f676dd83276
                                                        • Instruction Fuzzy Hash: D8F0A072B102057FEE1497A6DC1EEAF379CCB95620B20422AFA09DE184FAA5A8005260
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036942E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,?,7036B400,?,7036B525), ref: 70369440
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000004B,onecore\base\ntsetup\panther\engine\seq.c,pLock,7036B525,00000000,?,7036B400,?,7036B525), ref: 70369473
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        • EnterCriticalSection.KERNEL32(0000006C,00000000,00000000,?,7036B400,?,7036B525), ref: 70369479
                                                        Strings
                                                        • pLock, xrefs: 7036944A
                                                        • ExecQueue->csLock.DebugInfo is NULL., xrefs: 70369461
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036944F
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructCriticalEnterMessagePartialProcessSectionSetupmemset
                                                        • String ID: ExecQueue->csLock.DebugInfo is NULL.$onecore\base\ntsetup\panther\engine\seq.c$pLock
                                                        • API String ID: 2348391475-81045438
                                                        • Opcode ID: c8c762fd3c10147e677588853ba468146fe759f532d84b340c8dfc68791f0334
                                                        • Instruction ID: 97c9738b8fe0dc43f2f169c7c874625027facd6bad7e2892c1b653ffb4091717
                                                        • Opcode Fuzzy Hash: c8c762fd3c10147e677588853ba468146fe759f532d84b340c8dfc68791f0334
                                                        • Instruction Fuzzy Hash: 8CE0D8B3240104BED61117579C0AEEF7BECDBD5661F30455AFA88BD1848B616407E378
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387CA6 Relevance: 10.5, APIs: 7, Instructions: 33memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • fclose.MSVCRT ref: 70387CAE
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CC9
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CD0
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CDC
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CE3
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CF2
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,70387C89), ref: 70387CF9
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess$fclose
                                                        • String ID:
                                                        • API String ID: 916384275-0
                                                        • Opcode ID: 48fe297acaf027e734728353335bc5704fce4ed23f78f75e1b5a2869fdcf04bc
                                                        • Instruction ID: ec7787a63f578ce45d94716c569cef18f9d5c97bae8b7e5848a622ea4bbf0e9e
                                                        • Opcode Fuzzy Hash: 48fe297acaf027e734728353335bc5704fce4ed23f78f75e1b5a2869fdcf04bc
                                                        • Instruction Fuzzy Hash: DFF067B2910215AFDB019BA2DE4CBAE367DEB59642B210498F807E3191DB28C885DA71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387210 Relevance: 10.1, APIs: 8, Instructions: 137memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 70387264
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 70387279
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70387280
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 70387295
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 703872A2
                                                        • HeapFree.KERNEL32(00000000), ref: 703872A9
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 7038737D
                                                        • HeapFree.KERNEL32(00000000), ref: 70387384
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$ByteCharFreeMultiWide$Alloc
                                                        • String ID:
                                                        • API String ID: 741470664-0
                                                        • Opcode ID: 7fb82ba04dfe525a8d547118bdce123bb09e4a05feca2c20c28ec2f4bf3069b3
                                                        • Instruction ID: 9ad5d083ca3cba989a3dbb36651ffbadf3876775a76268c527cd7677527eac4d
                                                        • Opcode Fuzzy Hash: 7fb82ba04dfe525a8d547118bdce123bb09e4a05feca2c20c28ec2f4bf3069b3
                                                        • Instruction Fuzzy Hash: CA4170769002159FDB00DFA9CD48BAEB7F9AF48316F2145A9E906E72C0E774DD408B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703697AD Relevance: 10.0, APIs: 8, Instructions: 29memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697B7
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697BE
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697CE
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697D5
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697E5
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697EC
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 703697FC
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,70369794,?,?,7038A160,00000024), ref: 70369803
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: bb852552199878f89174a6b051e218c5bbb3c8b46ca69858502e4b9d678f6a5d
                                                        • Instruction ID: 0cfcd9854eb8dd387b0e4ee2b653da250390ffc30381be839659205763e34305
                                                        • Opcode Fuzzy Hash: bb852552199878f89174a6b051e218c5bbb3c8b46ca69858502e4b9d678f6a5d
                                                        • Instruction Fuzzy Hash: 7DF04DB2811114EFDB025BA1CC4CBDD7ABDFB19306F314495F103A20A5C7394985DB78
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D620 Relevance: 9.1, APIs: 6, Instructions: 115filethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 7037D685
                                                        • GetCurrentProcessId.KERNEL32(?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D69A
                                                        • GetCurrentProcess.KERNEL32(?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D6A2
                                                        • GetFileSize.KERNEL32(000000FF,?,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?,?,?), ref: 7037D6D3
                                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,00000002,?,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C), ref: 7037D6EA
                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,C0000000,00000000,00000000,00000002,00000100,00000000,7038AFD8,00000030,7037D87C,?), ref: 7037D6FD
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CurrentFile$Process$CreateMappingSizeThreadView
                                                        • String ID:
                                                        • API String ID: 3521580201-0
                                                        • Opcode ID: 0bc37cf7077a2aa31fb5beb3aa5861bbb9fd74967594180f9ec6f8dfca1ff8bd
                                                        • Instruction ID: 43978e70fe1f4bf0bf42ba8736616f9db729ce3b370c086a83c8d4a1b84a88bd
                                                        • Opcode Fuzzy Hash: 0bc37cf7077a2aa31fb5beb3aa5861bbb9fd74967594180f9ec6f8dfca1ff8bd
                                                        • Instruction Fuzzy Hash: 594121B5E01219AFDB04DFA9CD84AADBBB9FF48260F21826DE516E72D0D7345D01CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E84C Relevance: 9.1, APIs: 6, Instructions: 66memoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,00000004,00000001,?,?,?,?,7036E902,00000000,00000000,?,?), ref: 7036E871
                                                        • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,7036E902,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E894
                                                        • HeapAlloc.KERNEL32(00000000,?,?,?,?,7036E902,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E89B
                                                        • ReadFile.KERNEL32(?,00000000,00000000,00000004,00000000,?,?,?,?,7036E902,00000000,00000000,?,?,?,7036E2EB), ref: 7036E8B3
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,7036E902,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E8CD
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,7036E902,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E8D4
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FileProcessRead$AllocFree
                                                        • String ID:
                                                        • API String ID: 2389892922-0
                                                        • Opcode ID: 6ffbeba34162a5bd39ca2eb1f5b04bbb87c37da491ee507e219a20bd9394f56b
                                                        • Instruction ID: 3d01144e07a4dc09c20cf33d4b1abc593a4f13acd20eca4a060aa14f16319001
                                                        • Opcode Fuzzy Hash: 6ffbeba34162a5bd39ca2eb1f5b04bbb87c37da491ee507e219a20bd9394f56b
                                                        • Instruction Fuzzy Hash: 56114CB2500205FFDB019FA5CC48B9EBBFDEF14B15F2045A9E546D2094E7719948DF20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037B25E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 196windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001AAD,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::FindNodeByUniqueID,00000001,00000000,00000000,00000000), ref: 7037B46C
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • CBlackboard::FindNodeByUniqueID, xrefs: 7037B451
                                                        • Blackboard Corruption: %s, xrefs: 7037B43B
                                                        • (sizeof(SValue) + ((SValue *)Node.GetBuffer())->uiNameSize + ((SValue *)Node.GetBuffer())->uiSize) != uiItemSize, xrefs: 7037B436
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 7037B456
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocConstructErrorLastMessagePartialProcessSetupmemset
                                                        • String ID: (sizeof(SValue) + ((SValue *)Node.GetBuffer())->uiNameSize + ((SValue *)Node.GetBuffer())->uiSize) != uiItemSize$Blackboard Corruption: %s$CBlackboard::FindNodeByUniqueID$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 3875557587-3860658385
                                                        • Opcode ID: e1d8909d23752af27723f42a47826fba9d1c10c9a0ce58c5290b8d0e8dc93116
                                                        • Instruction ID: 5a8f9dcb4ddafa558389acd9a536bfbe605d82978c5cc947bad6a024555bc1e3
                                                        • Opcode Fuzzy Hash: e1d8909d23752af27723f42a47826fba9d1c10c9a0ce58c5290b8d0e8dc93116
                                                        • Instruction Fuzzy Hash: 4E713A71A00219AFDB25CF55CDD0BEDB3B9BB58300F5191AEE54AA7280DB34AE85CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A280 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 147windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00000014), ref: 7036A3C2
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036A414
                                                          • Part of subcall function 7036E7E2: WriteFile.KERNEL32(?,00000000,00000004,00000000,00000000,00000001,00000001,?,?,7036E26F,00000004,00000004,00000000), ref: 7036E800
                                                          • Part of subcall function 7036E7E2: WriteFile.KERNEL32(?,?,00000000,00000004,00000000,?,7036E26F,00000004,00000004), ref: 7036E827
                                                        Strings
                                                        • Loading Event: EventType(%s,%d) PublishedBy(%s), xrefs: 7036A401
                                                        • pSerializeEvent, xrefs: 7036A3CC
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036A3D1
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: FileWrite$ErrorLastMessageSetup
                                                        • String ID: Loading Event: EventType(%s,%d) PublishedBy(%s)$onecore\base\ntsetup\panther\engine\seq.c$pSerializeEvent
                                                        • API String ID: 1511708183-2923911494
                                                        • Opcode ID: f314f81d63ff97d04b7cc191306d5aec178f1c83dbd7ef68dae1b2a7e5c8ef15
                                                        • Instruction ID: 67cdeed9e4ad07beffe0072a655614afdabac464e6ddad95d0a8f0f1d1393772
                                                        • Opcode Fuzzy Hash: f314f81d63ff97d04b7cc191306d5aec178f1c83dbd7ef68dae1b2a7e5c8ef15
                                                        • Instruction Fuzzy Hash: 9051F4B5E00618AFCB05CF95D980ADDB7B5FB48314F20811AE816BB358DB71AD06CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378707 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 138windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000121E,onecore\base\ntsetup\panther\engine\bb.cpp,CStorage::CheckAndRestoreIntegrity,?,00000000,00000000,00000000), ref: 7037889A
                                                        Strings
                                                        • CBlackboard::CheckAndRestoreIntegrity(%s) done with Result=%d, xrefs: 70378867
                                                        • CStorage::CheckAndRestoreIntegrity, xrefs: 7037887F
                                                        • <null>, xrefs: 7037885D, 70378866
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70378884
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetup
                                                        • String ID: <null>$CBlackboard::CheckAndRestoreIntegrity(%s) done with Result=%d$CStorage::CheckAndRestoreIntegrity$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 140331278-1281017420
                                                        • Opcode ID: 3d0ea6fb52e55839591cf7a58697b31133ed41062487b932984bf35760989502
                                                        • Instruction ID: 78360a75b4005b69d8ed07c7ea50418ee01b3eba023fed7d0916a94719c1c881
                                                        • Opcode Fuzzy Hash: 3d0ea6fb52e55839591cf7a58697b31133ed41062487b932984bf35760989502
                                                        • Instruction Fuzzy Hash: 75518975A40205AFCB05CF5AC9C0AADB7F9FF88310B65D06EE846AB290D735EC01CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F280 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(7038A6E0,00000020), ref: 7036F2D1
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,000001A9,onecore\base\ntsetup\panther\engine\engine.cpp,pSerializeFileVersion,?,00000000,00000000,00000000), ref: 7036F31A
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Saving FileVersion %s%d.%s, xrefs: 7036F2E9
                                                        • pSerializeFileVersion, xrefs: 7036F2FF
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 7036F304
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructMessagePartialProcessSetupmemset
                                                        • String ID: Saving FileVersion %s%d.%s$onecore\base\ntsetup\panther\engine\engine.cpp$pSerializeFileVersion
                                                        • API String ID: 641720108-1232896198
                                                        • Opcode ID: 8041907709b2fdc85c86760b903a77fe690a46db173734c59da6d53bc4eb19fc
                                                        • Instruction ID: 14b717d204c2a251a7343f0dfa6237ffa34d28646e9330017416008c5f2477fb
                                                        • Opcode Fuzzy Hash: 8041907709b2fdc85c86760b903a77fe690a46db173734c59da6d53bc4eb19fc
                                                        • Instruction Fuzzy Hash: D9410B7AA00219AFDB00CFA5C990ADDB7B5FF48350F114169F916AB398D731A905CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036BD80 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,7038A3C0,00000034), ref: 7036BDCC
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000), ref: 7036BE0A
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Error serializing callback in '%s', xrefs: 7036BDF7
                                                        • onecore\base\ntsetup\panther\engine\seq.c, xrefs: 7036BDDB
                                                        • pSerializeSubscription, xrefs: 7036BDD6
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLast$AllocConstructMessagePartialProcessSetupmemset
                                                        • String ID: Error serializing callback in '%s'$onecore\base\ntsetup\panther\engine\seq.c$pSerializeSubscription
                                                        • API String ID: 641720108-4195555326
                                                        • Opcode ID: fa7317100863135288ae5247de053cb04effed4d0619012a3892510a6814fea8
                                                        • Instruction ID: b07a4446a4e0e464e3e7ea69c0cf055b275ca5d0114f81afce318ec916e9110e
                                                        • Opcode Fuzzy Hash: fa7317100863135288ae5247de053cb04effed4d0619012a3892510a6814fea8
                                                        • Instruction Fuzzy Hash: 85411875A00208EFDB14CFA5E980ADEB7B9BF88314F104529F906AB384DB75AD41CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387F2C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Timeswscanf_s$SystemVariant
                                                        • String ID: %u-%u-%u$%u/%u/%u
                                                        • API String ID: 1655913733-3310563466
                                                        • Opcode ID: 8c142d0d580475e84dac707949c60c094988a1ec869a97f8f339620b25d97367
                                                        • Instruction ID: fc67605b17f17bbcdd3f277584690e7aa8942a5b18b78e76623937c47d239654
                                                        • Opcode Fuzzy Hash: 8c142d0d580475e84dac707949c60c094988a1ec869a97f8f339620b25d97367
                                                        • Instruction Fuzzy Hash: D4113D7A90011DAA8B01DBE9CC859FFB7BDEF48610B610566EA06E3150E734EA45C7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378F6E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001361,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::Close,00000000,00000000,00000000,00000000,00000000,03251EE8,00000000), ref: 70378FDD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetup
                                                        • String ID: <unnamed>$CBlackboard::Close$CBlackboard::Close: %s.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 140331278-3470024171
                                                        • Opcode ID: 490b98d5e46978946f63b27f970d52e0fa8e60b8bdaeab8133e57d26c7b9d24f
                                                        • Instruction ID: 4f21700fcf8d3c61292f990c044d05d93de438706b4c5b62d624e157de7a5fc1
                                                        • Opcode Fuzzy Hash: 490b98d5e46978946f63b27f970d52e0fa8e60b8bdaeab8133e57d26c7b9d24f
                                                        • Instruction Fuzzy Hash: 9101C4713502007FDB184B119C9AF6E365DEB84621F15516EFD069F285EAA9EC01C5A4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371B90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7037010B: memset.MSVCRT ref: 70370139
                                                        • GetLastError.KERNEL32 ref: 70371BB8
                                                          • Part of subcall function 703692A2: ConstructPartialMsgVW.WDSCORE(?,?,?,?,703702EF,03000020,Function %s was called, but the panther work queue is not running!,WdsInitializeCallbackArray,?,?,?,7036A02F), ref: 703692B1
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000AE3,onecore\base\ntsetup\panther\engine\engine.cpp,WdsIterateOfflineQueue,?,00000000,00000000,00000000), ref: 70371BF6
                                                          • Part of subcall function 7037F850: GetLastError.KERNEL32(WdsInitializeCallbackArray,00000000), ref: 7037F8AA
                                                          • Part of subcall function 7037F850: memset.MSVCRT ref: 7037F8CF
                                                          • Part of subcall function 7037F850: GetProcessHeap.KERNEL32(00000000,?), ref: 7037F921
                                                          • Part of subcall function 7037F850: HeapAlloc.KERNEL32(00000000), ref: 7037F928
                                                        Strings
                                                        • Invalid Group Name '%s' passed to WdsIterateOfflineQueue, xrefs: 70371BBF
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 70371BE0
                                                        • WdsIterateOfflineQueue, xrefs: 70371BDB
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorHeapLastmemset$AllocConstructMessagePartialProcessSetup
                                                        • String ID: Invalid Group Name '%s' passed to WdsIterateOfflineQueue$WdsIterateOfflineQueue$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 2807932644-917445289
                                                        • Opcode ID: 7a1c15d4e45dea89325372de57fa02b17af93b5b9152aa77b1ac5cf4d00c9bba
                                                        • Instruction ID: bfe71dfae59c09180dec9b4c656f073e5270ce6a892a39260ca232e1c3d9eabf
                                                        • Opcode Fuzzy Hash: 7a1c15d4e45dea89325372de57fa02b17af93b5b9152aa77b1ac5cf4d00c9bba
                                                        • Instruction Fuzzy Hash: 8101D833600109BFDF114E95CC4AFEF367DDB84210F11821DFD555A284E7799922E751
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703716F0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 70371725
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00000996,onecore\base\ntsetup\panther\engine\engine.cpp,WdsAddModule,?,00000000,00000000,00000000), ref: 70371761
                                                        Strings
                                                        • WdsAddModule, xrefs: 70371746
                                                        • onecore\base\ntsetup\panther\engine\engine.cpp, xrefs: 7037174B
                                                        • WdsAddModule given invalid parameters, xrefs: 7037172B
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastMessageSetup
                                                        • String ID: WdsAddModule$WdsAddModule given invalid parameters$onecore\base\ntsetup\panther\engine\engine.cpp
                                                        • API String ID: 2111701876-1064433732
                                                        • Opcode ID: ee9d235d92abfaf5641af3d5af64ec0f495464deec74f108efad31ba5c2a7fb7
                                                        • Instruction ID: 2c22e61159bd1309b456f849adbf500b4bf51d1bede35c49940a7d86a3a96360
                                                        • Opcode Fuzzy Hash: ee9d235d92abfaf5641af3d5af64ec0f495464deec74f108efad31ba5c2a7fb7
                                                        • Instruction Fuzzy Hash: D101D133600209BFEF198F49DC46FEF33EDEB40251F10811EF9121D2948BB9A951D655
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E98C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempFileNameW.KERNEL32(?,SEQ,00000000,?,00000208), ref: 7036E9B2
                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 7036E9D2
                                                        • CloseHandle.KERNEL32(00000000), ref: 7036E9DE
                                                        • DeleteFileW.KERNEL32(?), ref: 7036E9EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: File$CloseCreateDeleteHandleNameTemp
                                                        • String ID: SEQ
                                                        • API String ID: 3375149446-14259161
                                                        • Opcode ID: 46a3be7511d35785ce974c60bd79a9df32e9320a8d450ab6128cf5ea4a2c2476
                                                        • Instruction ID: 24b999b550bbd5285dee905ac1acabd529acb2e8247d63fc5970b5236f753a64
                                                        • Opcode Fuzzy Hash: 46a3be7511d35785ce974c60bd79a9df32e9320a8d450ab6128cf5ea4a2c2476
                                                        • Instruction Fuzzy Hash: EDF031B2501229AFC7209B768C0DF9F7BACEF45214F714794B416E60C5DB34DA05C671
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70371D40 Relevance: 7.6, APIs: 5, Instructions: 126memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsEnumFirstCollectionValue.WDSCORE(?,?,7038A880,00000038), ref: 70371D70
                                                        • WdsEnumNextCollectionValue.WDSCORE(?,?,?,7038A880,00000038), ref: 70371DA1
                                                        • WdsSeqAlloc.WDSCORE(00000000,00000000,?,?,7038A880,00000038), ref: 70371DD3
                                                        • WdsEnumFirstCollectionValue.WDSCORE(?,?,00000004,00000000,00000000,?,?,7038A880,00000038), ref: 70371DF5
                                                        • WdsEnumNextCollectionValue.WDSCORE(?,?,00000004,?,00000004,00000004,?,?,00000004,00000000,00000000,?,?,7038A880,00000038), ref: 70371E6A
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CollectionEnumValue$FirstNext$Alloc
                                                        • String ID:
                                                        • API String ID: 1911307209-0
                                                        • Opcode ID: b64ccbbddbe78ab5361bd89d50fb949e7bd37144ae8ff15df4e536a8bd188fd5
                                                        • Instruction ID: 000313cf9780a34cfbd762dbf6f2c0ba81ce24ec5ca2eb504d8b54d0074a6103
                                                        • Opcode Fuzzy Hash: b64ccbbddbe78ab5361bd89d50fb949e7bd37144ae8ff15df4e536a8bd188fd5
                                                        • Instruction Fuzzy Hash: C4411172E102099FDF05DFA8C9C1ADDBBB5EF44300F10952AE902EB355E778A946CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037A45F Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: wcschr$wcsrchr
                                                        • String ID:
                                                        • API String ID: 2546881291-0
                                                        • Opcode ID: 8294c4a3cf7cdbe44ee5fc0fbf6bfe5adc78ff375e8915c40318d5f09aac83aa
                                                        • Instruction ID: a4506a8c4d90640a728d2ba34df89e87234983015d3de2581fd8d6f6c64626af
                                                        • Opcode Fuzzy Hash: 8294c4a3cf7cdbe44ee5fc0fbf6bfe5adc78ff375e8915c40318d5f09aac83aa
                                                        • Instruction Fuzzy Hash: 8D31F676600A02EFCB04DF65C9C956E77BDEF85360B21806DE9139B280E774DD01CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70381B10 Relevance: 7.6, APIs: 6, Instructions: 80memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 70381B54
                                                        • HeapFree.KERNEL32(00000000), ref: 70381B5B
                                                        • GetProcessHeap.KERNEL32 ref: 70381BB1
                                                        • HeapFree.KERNEL32(00000000,00000000,?), ref: 70381BBB
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 70381BCA
                                                        • HeapFree.KERNEL32(00000000), ref: 70381BD1
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: 905a0a251509d8b6ea3f5c83b26ca3310e374c128d2d0fa3fee310c5612788e5
                                                        • Instruction ID: b409f19c295d8da45f22f52d8e28d8753db389bae2e747dcd398740afb458f96
                                                        • Opcode Fuzzy Hash: 905a0a251509d8b6ea3f5c83b26ca3310e374c128d2d0fa3fee310c5612788e5
                                                        • Instruction Fuzzy Hash: 583164B2900205CFDF09CF55C885B9E77B9FF58311F214199D806AB3D6E774A841CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70385BBC Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 70385C13
                                                        • HeapAlloc.KERNEL32(00000000), ref: 70385C1A
                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000), ref: 70385C36
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 70385C43
                                                        • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 70385C4A
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocByteCharFreeMultiWide
                                                        • String ID:
                                                        • API String ID: 586017212-0
                                                        • Opcode ID: c215a026d91ccb2a2beb674b16eb3ae12087702221ffc79f7f774a9fff24edc5
                                                        • Instruction ID: 3f55ecab855d0e976a2999f0691a9e896a63621e1390388404d89a5f266c8ace
                                                        • Opcode Fuzzy Hash: c215a026d91ccb2a2beb674b16eb3ae12087702221ffc79f7f774a9fff24edc5
                                                        • Instruction Fuzzy Hash: 7C11E9BA2042016FDB155BB68C18B7B3ABDEB94645B2544AFF947CB1C0EA71CD01D670
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703895F9 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 70389626
                                                        • GetCurrentProcessId.KERNEL32 ref: 70389635
                                                        • GetCurrentThreadId.KERNEL32 ref: 7038963E
                                                        • GetTickCount.KERNEL32 ref: 70389647
                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 7038965C
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                        • String ID:
                                                        • API String ID: 1445889803-0
                                                        • Opcode ID: 26a31826a3d7c5cb7225eb2687feee19604ea0581b71e8c74d8d19f473a7a9b1
                                                        • Instruction ID: 6e5eeb79c9cffc480ef1bdaef51f297baa292daa242bb5cbca1df7eeb14f3b96
                                                        • Opcode Fuzzy Hash: 26a31826a3d7c5cb7225eb2687feee19604ea0581b71e8c74d8d19f473a7a9b1
                                                        • Instruction Fuzzy Hash: 7811ECB6D11209EFCB10DBB5C94869EB7F9EF98315F6649D6D802E7290E7309B018B60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F7D2 Relevance: 7.5, APIs: 6, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 703835CC: GetProcessHeap.KERNEL32(00000008,00000000,02000000,00000000,?,7037F7E2,02000000,65000000,00000000,?,?,7037FA1E,?), ref: 703835E5
                                                          • Part of subcall function 703835CC: HeapAlloc.KERNEL32(00000000,?,7037FA1E,?), ref: 703835EC
                                                          • Part of subcall function 7037F55A: GetProcessHeap.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,7037FA1E,?), ref: 7037F570
                                                          • Part of subcall function 7037F55A: HeapAlloc.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F577
                                                          • Part of subcall function 7037F55A: GetProcessHeap.KERNEL32(00000000,00000000,00000011,?,7037FA1E,?), ref: 7037F583
                                                          • Part of subcall function 7037F55A: HeapReAlloc.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F58A
                                                          • Part of subcall function 7037F55A: strrchr.MSVCRT ref: 7037F5B0
                                                          • Part of subcall function 7037F55A: GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 7037F5DD
                                                          • Part of subcall function 7037F55A: HeapReAlloc.KERNEL32(00000000), ref: 7037F5E4
                                                          • Part of subcall function 7037F55A: GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 7037F61E
                                                          • Part of subcall function 7037F55A: HeapReAlloc.KERNEL32(00000000), ref: 7037F625
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,02000000,65000000,00000000,?,?,7037FA1E,?), ref: 7037F808
                                                        • HeapFree.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F80F
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,7037FA1E,?), ref: 7037F817
                                                        • HeapFree.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F81E
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,7037FA1E,?), ref: 7037F826
                                                        • HeapFree.KERNEL32(00000000,?,7037FA1E,?), ref: 7037F82D
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Alloc$Free$strrchr
                                                        • String ID:
                                                        • API String ID: 2728736496-0
                                                        • Opcode ID: 9896dcfd58536217e32668155551bfeced2ab10bfc1f133b04e7ed3b3e1f023a
                                                        • Instruction ID: 0a9624c693a85056cc212f50d2b7777afb8a8bfb1e2ac04339b52cd1fe8716ca
                                                        • Opcode Fuzzy Hash: 9896dcfd58536217e32668155551bfeced2ab10bfc1f133b04e7ed3b3e1f023a
                                                        • Instruction Fuzzy Hash: F8F012B36001147FC7005BB68C8DD7F7AADEADA6653340495F505C7291DA78DC079774
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037FF1D Relevance: 7.5, APIs: 6, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TlsGetValue.KERNEL32(00000013,?,7036F138,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0,0000002C), ref: 7037FF29
                                                        • EnterCriticalSection.KERNEL32(7038DF18,00000000,?,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0,0000002C), ref: 7037FF3C
                                                        • GetProcessHeap.KERNEL32(?,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0,0000002C), ref: 7037FF60
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0), ref: 7037FF6B
                                                        • TlsSetValue.KERNEL32(00000000,?,?,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0,0000002C), ref: 7037FF80
                                                        • LeaveCriticalSection.KERNEL32(7038DF18,?,?,?,70388E29,?,00000000,?,?,00000000,?,?,?,?,7038B7F0,0000002C), ref: 7037FF8B
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CriticalHeapSectionValue$EnterFreeLeaveProcess
                                                        • String ID:
                                                        • API String ID: 1434723304-0
                                                        • Opcode ID: d43c32a900c19265382825ad17721c0c853aad46ff539dc8c870bdb194cc76bf
                                                        • Instruction ID: 4792896785fdc1922015e933ce60e05409f2c3318e3e0e49463c502cdbaaa56d
                                                        • Opcode Fuzzy Hash: d43c32a900c19265382825ad17721c0c853aad46ff539dc8c870bdb194cc76bf
                                                        • Instruction Fuzzy Hash: 29F01D771041019FC6119B66DD88E5A7B7DF79A3203314694F916C32E4CB349805DB30
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70387A1A Relevance: 7.5, APIs: 6, Instructions: 31memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,?,703879FE), ref: 70387A31
                                                        • HeapFree.KERNEL32(00000000), ref: 70387A38
                                                        • GetProcessHeap.KERNEL32(00000000,?,703879FE), ref: 70387A47
                                                        • HeapFree.KERNEL32(00000000), ref: 70387A4E
                                                        • GetProcessHeap.KERNEL32(00000000,?,703879FE), ref: 70387A5D
                                                        • HeapFree.KERNEL32(00000000), ref: 70387A64
                                                          • Part of subcall function 70387524: memset.MSVCRT ref: 70387557
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess$memset
                                                        • String ID:
                                                        • API String ID: 145835812-0
                                                        • Opcode ID: 2baaa080a8acc7e31c7d49cf63ebab51b1a4fa3edc297a42162dcc95f9d11725
                                                        • Instruction ID: 2374b9b5d2a0914b8c35258ba92ad69c18308749604d7ab07e412c0e8dd829b3
                                                        • Opcode Fuzzy Hash: 2baaa080a8acc7e31c7d49cf63ebab51b1a4fa3edc297a42162dcc95f9d11725
                                                        • Instruction Fuzzy Hash: BDF0A2B26102015FDF15DBB18D88F7F36BDFA5864272100D8F903E2291DB2CC9459730
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037479A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 70372FF7: __EH_prolog3.LIBCMT ref: 70372FFE
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,0000051C,onecore\base\ntsetup\panther\engine\bb.cpp,CSpinLockFileMappingArray::Create,00000000,00000000,00000000,00000000,?,00000000), ref: 70374884
                                                        Strings
                                                        • CSpinLockFileMappingArray::Create: m_pMapping->Create(%s) failed., xrefs: 7037484F
                                                        • CSpinLockFileMappingArray::Create, xrefs: 70374869
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 7037486E
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3MessageSetup
                                                        • String ID: CSpinLockFileMappingArray::Create$CSpinLockFileMappingArray::Create: m_pMapping->Create(%s) failed.$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 2422027104-1173589872
                                                        • Opcode ID: 1452681fcdf4fb0762329edd7d3a86abb8f0031e94fea1484c493acdd02085c6
                                                        • Instruction ID: 512518a93a09385e8b06dbac533e5ed72e171bd7e61314a72a037fd43ce666e1
                                                        • Opcode Fuzzy Hash: 1452681fcdf4fb0762329edd7d3a86abb8f0031e94fea1484c493acdd02085c6
                                                        • Instruction Fuzzy Hash: 0031603A700115AFDB058F11CC94F6D3BAAFB88350F254099F912AB390DBB5BD12DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037B94E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001C4E,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboardFactory::Remove,?,00000000,00000000,00000000), ref: 7037BA28
                                                        Strings
                                                        • pBlackboard(0x%x)has %d outstanding access reference count. Client probably did not close Enum handle(s)., xrefs: 7037B9F3
                                                        • CBlackboardFactory::Remove, xrefs: 7037BA0D
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 7037BA12
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetup
                                                        • String ID: CBlackboardFactory::Remove$onecore\base\ntsetup\panther\engine\bb.cpp$pBlackboard(0x%x)has %d outstanding access reference count. Client probably did not close Enum handle(s).
                                                        • API String ID: 140331278-3119640952
                                                        • Opcode ID: 03e7c7a61e869bb61bb5675894a274f3a2edbc71e1c29ac6893d5fea3aac9eaa
                                                        • Instruction ID: a6d786be33b0453edc4322885e814cb5980498864f3b139ff14fa6258e9bf436
                                                        • Opcode Fuzzy Hash: 03e7c7a61e869bb61bb5675894a274f3a2edbc71e1c29ac6893d5fea3aac9eaa
                                                        • Instruction Fuzzy Hash: 3D21D672600205AFDB059B258DC1B7E73BDEF95210B15916DF9079B280EB79FD0287A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037F3B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: towlower$wcsrchr
                                                        • String ID: C:\$Windows.~WS\Sources\SetupHost.Exe
                                                        • API String ID: 1922847176-3808150863
                                                        • Opcode ID: 4f9fc2115d02400446831d5117c839926cf747af294a4cb7b4dd0520fdf279b7
                                                        • Instruction ID: e31876f8c8eac0a52fb957130cfffd0a439c7e2636cc592262b73a1fe8ac3492
                                                        • Opcode Fuzzy Hash: 4f9fc2115d02400446831d5117c839926cf747af294a4cb7b4dd0520fdf279b7
                                                        • Instruction Fuzzy Hash: AF11E63F6052129FEB18AB6B5CC167F3379FB54651721D02FE903C71C0EAA88D428260
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70386EAA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • iswctype.MSVCRT(?,00000103,00000000,?,?,00000000,?,703869FF), ref: 70386EC9
                                                        • iswctype.MSVCRT(?,00000004), ref: 70386EE4
                                                        • _wcsnicmp.MSVCRT ref: 70386F1A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: iswctype$_wcsnicmp
                                                        • String ID: XML
                                                        • API String ID: 629269460-2807274217
                                                        • Opcode ID: 7456d43a21eef3822e8d415ad68bb5740a34b931d0ab7e1f4e515a55eca730bc
                                                        • Instruction ID: db152bbc55cc126348088bcd3b2b6b000490210f985e5bf39b9b8a0731d3f520
                                                        • Opcode Fuzzy Hash: 7456d43a21eef3822e8d415ad68bb5740a34b931d0ab7e1f4e515a55eca730bc
                                                        • Instruction Fuzzy Hash: 0F01453B2846127FE7125729BC45B9E76ACDB04A24F7105AAFB03E70C0E7A0CD014438
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378D95 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WdsSetupLogMessageW.WDSCORE(00000000,00090000,70361E24,00000000,00001329,onecore\base\ntsetup\panther\engine\bb.cpp,CBlackboard::~CBlackboard,00000000,00000000,00000000,00000000,F4FD9A64,00000000,03251EE8,00000000), ref: 70378E23
                                                        Strings
                                                        • CBlackboard::m_lAccessSpinLock = %d for BB="%s", xrefs: 70378DF0
                                                        • CBlackboard::~CBlackboard, xrefs: 70378E08
                                                        • onecore\base\ntsetup\panther\engine\bb.cpp, xrefs: 70378E0D
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: MessageSetup
                                                        • String ID: CBlackboard::m_lAccessSpinLock = %d for BB="%s"$CBlackboard::~CBlackboard$onecore\base\ntsetup\panther\engine\bb.cpp
                                                        • API String ID: 140331278-2602513363
                                                        • Opcode ID: a12774ffb097985ea103140ece6041df73faf0ffa484ae5981fbb4b866d50732
                                                        • Instruction ID: dc44f23286a9a8bb09082d1423b295f17ea7b2d0a4ced4ddd36c7ef2605e49da
                                                        • Opcode Fuzzy Hash: a12774ffb097985ea103140ece6041df73faf0ffa484ae5981fbb4b866d50732
                                                        • Instruction Fuzzy Hash: D711A376700110BFDB159B15CC86F6E776DEB88620F10456EF9029B385EBB8BC01C760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70385039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExA.KERNEL32(00000002,ntdll.dll,00000000,02000000,00000000,00000000,?,?,?,?,?,7037FA2F,?), ref: 70385057
                                                        • GetProcAddress.KERNEL32(00000000,MicrosoftTelemetryAssertTriggeredUM), ref: 7038506F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: MicrosoftTelemetryAssertTriggeredUM$ntdll.dll
                                                        • API String ID: 1646373207-1893337043
                                                        • Opcode ID: a516e3b24120702f5756cf2fda629192c20154a14bfdaf2a28a81af53c3e4555
                                                        • Instruction ID: 3320ec50cf91a9bb323bc459991de45c3d45d1efe3895cd53257aba36d4a61c8
                                                        • Opcode Fuzzy Hash: a516e3b24120702f5756cf2fda629192c20154a14bfdaf2a28a81af53c3e4555
                                                        • Instruction Fuzzy Hash: 210156B5D01208EFCB10DF95C9447DEBFB8EB44355F20416AE845A7281C7B58E44CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70382F07 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,?,70383C2A,?,?,?,?,?,00000014,F4FD9A64,?,70388130,?,?), ref: 70382F18
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,70383C2A,?,?,?,?,?,00000014,F4FD9A64), ref: 70382F22
                                                        • GetProcessHeap.KERNEL32(?,00000000,?,?,70383C2A,?,?,?,?,?,00000014,F4FD9A64,?,70388130,?,?), ref: 70382F39
                                                        • HeapAlloc.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,70383C2A,?,?,?,?,?,00000014,F4FD9A64), ref: 70382F43
                                                        • memcpy.MSVCRT ref: 70382F57
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFreememcpy
                                                        • String ID:
                                                        • API String ID: 3405790324-0
                                                        • Opcode ID: e1dd265dd6a81dd28b1b53d0f7a3d557dfd1651865fd7eb83f3731fc41582ee3
                                                        • Instruction ID: a7e34303f0ca18ac13cfc0b0e6862c2ade7141fbb6fa98d1275c668f63e6a03a
                                                        • Opcode Fuzzy Hash: e1dd265dd6a81dd28b1b53d0f7a3d557dfd1651865fd7eb83f3731fc41582ee3
                                                        • Instruction Fuzzy Hash: 45F04FB3500700AFD7104B96CC08F07BBBDEB95B11B25859AFA1A87295DA71E801CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70383FA5 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • calloc.MSVCRT ref: 70383FCA
                                                        • calloc.MSVCRT ref: 70383FF7
                                                        • memmove_s.MSVCRT ref: 70384014
                                                          • Part of subcall function 70382E17: _CxxThrowException.MSVCRT(?,7038B928), ref: 70382E2E
                                                        • free.MSVCRT(?,7036AF3B), ref: 70384026
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: calloc$ExceptionThrowfreememmove_s
                                                        • String ID:
                                                        • API String ID: 1247252271-0
                                                        • Opcode ID: b60a4c1e79481d37387fb0779ee61c7bbad0b31f9d0ed55e606f9a3f3af0e0cd
                                                        • Instruction ID: 774ad6eeb208dd73b5ce90076c609a31228250a29583c36862dbe9d2877df9fe
                                                        • Opcode Fuzzy Hash: b60a4c1e79481d37387fb0779ee61c7bbad0b31f9d0ed55e606f9a3f3af0e0cd
                                                        • Instruction Fuzzy Hash: 7611E376A00222AFE7115B29984495FF7ADEB5036072241AAFA05D77C0EB719C61C7F4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70383102 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 56memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7038379B: __EH_prolog3.LIBCMT ref: 703837A2
                                                        • GetProcessHeap.KERNEL32(00000008,0000D184,SEQ Control,SEQ Control), ref: 70383148
                                                        • HeapAlloc.KERNEL32(00000000), ref: 7038314F
                                                        • memcpy.MSVCRT ref: 70383161
                                                          • Part of subcall function 7038375A: _wcslwr_s.MSVCRT ref: 70383770
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocH_prolog3Process_wcslwr_smemcpy
                                                        • String ID: SEQ Control
                                                        • API String ID: 2168268255-3508354023
                                                        • Opcode ID: 90d1baf262e0a1fc183b9d5bd33e14814630ea81553f2d997e295b3f5561d8a1
                                                        • Instruction ID: 3c7f7088f6be3d38bab9e1ba610f5a6a909efe0b24106d10bc853c145f4f319d
                                                        • Opcode Fuzzy Hash: 90d1baf262e0a1fc183b9d5bd33e14814630ea81553f2d997e295b3f5561d8a1
                                                        • Instruction Fuzzy Hash: A6118AB6D01215AFCB11DBA5CD09A9F7779EF40B00F504499AC03A72C0EB74BA05CAB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036CEEA Relevance: 6.0, APIs: 4, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(7036CECF), ref: 7036CEEA
                                                        • SetEvent.KERNEL32(?), ref: 7036CF05
                                                        • SetLastError.KERNEL32(00000000), ref: 7036CF0C
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 7036CF16
                                                          • Part of subcall function 7036A0D0: WdsFreeData.WDSCORE(?,?,?,7036A272,?,7036A250,00000000,00090000,70361E24,00000000,000003E4,onecore\base\ntsetup\panther\engine\seq.c,pConstructEvent,?,00000000), ref: 7036A0E1
                                                          • Part of subcall function 7036A0D0: WdsSeqFree.WDSCORE(?,?,?,?,7036A272,?,7036A250,00000000,00090000,70361E24,00000000,000003E4,onecore\base\ntsetup\panther\engine\seq.c,pConstructEvent,?,00000000), ref: 7036A0E7
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: ErrorFreeLast$CriticalDataEventLeaveSection
                                                        • String ID:
                                                        • API String ID: 2381208896-0
                                                        • Opcode ID: 3f2d44cdb25aed04fecfce09d463d9e50ddfda0ae2f38725a4c58768532acd08
                                                        • Instruction ID: 2d0ff2b31b8a583ce8702d0ad6345a60b0746607220623cd54fdcd4e9e8895e7
                                                        • Opcode Fuzzy Hash: 3f2d44cdb25aed04fecfce09d463d9e50ddfda0ae2f38725a4c58768532acd08
                                                        • Instruction Fuzzy Hash: 38D017B2910A16EFCF126B718D4C64E3A7CAF182027214450F107E5266CB30D414CB71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70374BBA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: H_prolog3_
                                                        • String ID: $MemoryControlBlock
                                                        • API String ID: 2427045233-2323674946
                                                        • Opcode ID: 98ed38329ec4b3d1723035b589b8f11db845b48478574c624c73bd60dbe0842f
                                                        • Instruction ID: 2034ea0f4b6a7eb6d0b2cb9fce3f9d41325af4c9bcea471ad4e9f557b3aa8007
                                                        • Opcode Fuzzy Hash: 98ed38329ec4b3d1723035b589b8f11db845b48478574c624c73bd60dbe0842f
                                                        • Instruction Fuzzy Hash: 43411BB5E01219EFEB05CF95C9D0AADB7BAFB44300F15902DE916A7390D778AD01CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70386B88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 70386BD3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Time$SystemVariant
                                                        • String ID: %.2X$%d-%02d-%02dT%02d:%02d:%02d
                                                        • API String ID: 352189841-4260601390
                                                        • Opcode ID: 9911b9c90303bc82b7ff44320f0dfdbda38729e7b4b7b16424b5ab00c04d06e8
                                                        • Instruction ID: 6ceb2f2859658b09b8e55b287de813c6716695bef65117f1f3f9d505c0383606
                                                        • Opcode Fuzzy Hash: 9911b9c90303bc82b7ff44320f0dfdbda38729e7b4b7b16424b5ab00c04d06e8
                                                        • Instruction Fuzzy Hash: 8821C672A00019BEC7049BB98E859BFB7BCFB89604F11069AFC96E6184D734ED51D3B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703737F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3.LIBCMT ref: 703737F7
                                                          • Part of subcall function 703738CA: CreateMutexW.KERNEL32(00000000,00000001,?,7038AA78,00000040,70373899,00000000,?,?,?,?,?,?,?,?,?), ref: 70373907
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CreateH_prolog3Mutex
                                                        • String ID: CFM$Mtx
                                                        • API String ID: 2094887899-3547506197
                                                        • Opcode ID: e1fd41d80ec842198843a26b0f278690392dd7a274fdbcb361c7d502018d84e5
                                                        • Instruction ID: 6c75200cef36a6957eec186102e11e14e45eb78868c4c1c811577141878671f5
                                                        • Opcode Fuzzy Hash: e1fd41d80ec842198843a26b0f278690392dd7a274fdbcb361c7d502018d84e5
                                                        • Instruction Fuzzy Hash: 9F213D3190011AEFEF12CF90C981EEE7B75EF08340F059458F9166A150DB7D9A59EBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703838DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: memcpy_smemmove_s
                                                        • String ID: G98p
                                                        • API String ID: 3559298610-1269279808
                                                        • Opcode ID: 6626d63b1ea6c68dbde9e0964014e793dca9a8e2a434033804322baa08623899
                                                        • Instruction ID: 63c9a68271ff09b84e353745c2f8532e1587dd2b10d5bed479661a796debdfb9
                                                        • Opcode Fuzzy Hash: 6626d63b1ea6c68dbde9e0964014e793dca9a8e2a434033804322baa08623899
                                                        • Instruction Fuzzy Hash: 6F01B5B6200141AFCB08AB99CC95DBFB77EEEC475435146ADF5078B380DBB4AD1586B0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70378185 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog3.LIBCMT ref: 7037818C
                                                          • Part of subcall function 70378220: CreateMutexW.KERNEL32(00000000,00000001,?,7038ACE8,00000034,703781EF,?,0000000A,?,00000001,Mtx,?,Storage,?,00000004,70378E78), ref: 7037829F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: CreateH_prolog3Mutex
                                                        • String ID: Mtx$Storage
                                                        • API String ID: 2094887899-3105173585
                                                        • Opcode ID: 2d1bd0d224a9ef67b66aa04ac297660446a0c555bf17a57f72b7e05526b2c9c2
                                                        • Instruction ID: 9735be05d28529cf0a8d3a36f2a95035a7c6bb265975b89e13437f0fe0634e25
                                                        • Opcode Fuzzy Hash: 2d1bd0d224a9ef67b66aa04ac297660446a0c555bf17a57f72b7e05526b2c9c2
                                                        • Instruction Fuzzy Hash: 02016D75A40205DFDF018FA0DA819AE7675EF48340F14D858FC069F245DB78EA02DB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 70382960 Relevance: 5.1, APIs: 4, Instructions: 91memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000018,?,00000000,03251AF0,?,?,70382C5F,70368130,70382610,7037EB72), ref: 703829F7
                                                        • HeapAlloc.KERNEL32(00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 703829FE
                                                        • GetProcessHeap.KERNEL32(00000000,?,00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 70382A2B
                                                        • HeapFree.KERNEL32(00000000,?,?,70382C5F,70368130,70382610,7037EB72), ref: 70382A32
                                                          • Part of subcall function 70388A68: malloc.MSVCRT ref: 70388A80
                                                          • Part of subcall function 70382554: memset.MSVCRT ref: 7038258A
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocFreemallocmemset
                                                        • String ID:
                                                        • API String ID: 191677073-0
                                                        • Opcode ID: 5710fe7299ff3101db91fb0c160c319ed454a8121140b567531896d9847668c5
                                                        • Instruction ID: d0f724957bc07f9b8d826c3d22e2ebad7780ba181e90eee211381ae16ba6b680
                                                        • Opcode Fuzzy Hash: 5710fe7299ff3101db91fb0c160c319ed454a8121140b567531896d9847668c5
                                                        • Instruction Fuzzy Hash: 0A316D72A006019FCB16CF65C844F4EB7BABF44710B218599E84ADB2C1DB74ED40CBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D1C0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?,?,70380384,?), ref: 7037D1EF
                                                        • HeapAlloc.KERNEL32(00000000,?,70380384,?), ref: 7037D1F6
                                                        • GetProcessHeap.KERNEL32(00000000,?,?,70380384,?), ref: 7037D222
                                                        • HeapAlloc.KERNEL32(00000000,?,70380384,?), ref: 7037D229
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 3869d0d2ba60da53efac6ab913556ed78407ecf1b9098eac4acd0e3b4fa2ba7b
                                                        • Instruction ID: 6b20b1c3db3be687384bfcc3ce7c9e97abb50fbd04964ffca6af1fc9a84c27dd
                                                        • Opcode Fuzzy Hash: 3869d0d2ba60da53efac6ab913556ed78407ecf1b9098eac4acd0e3b4fa2ba7b
                                                        • Instruction Fuzzy Hash: 6911A372200202AFD7105FA9C888B6BB7FDEF95345F10C96EE946C7152EB79D806C760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037CE9B Relevance: 5.0, APIs: 4, Instructions: 49memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(03251EE8,FFFFFFFE,00000000,FFFFFFFE,?,703731B3,00000000,F4FD9A64,00000000,03251EE8,00000000), ref: 7037CEC9
                                                        • HeapReAlloc.KERNEL32(00000000,00000000,00000000,?,?,703731B3,00000000,F4FD9A64,00000000,03251EE8,00000000), ref: 7037CEDB
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: e2016c160fffda66579fa00d13d36bfe80e913384fd4e88c1a403e0bf9261c5b
                                                        • Instruction ID: f6035ad94518763f979926bde5dad956b45394845828907cc2c81bce22ed971f
                                                        • Opcode Fuzzy Hash: e2016c160fffda66579fa00d13d36bfe80e913384fd4e88c1a403e0bf9261c5b
                                                        • Instruction Fuzzy Hash: 91014BB2610304AFD714CF66CC89B1BB7EDEB98661B20846EE55BD3690D7B4E840CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037CF0F Relevance: 5.0, APIs: 4, Instructions: 49memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(03251AF0,00000000,?,00000000,?,70380602,?,00000000,7037F162,?,?,7037F29D), ref: 7037CF3D
                                                        • HeapReAlloc.KERNEL32(00000000,00000000,7037F29D,?,?,70380602,?,00000000,7037F162,?,?,7037F29D), ref: 7037CF4F
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 35ac2847c6626d75262b3e072a44a611b78fa58a376c106cca30cf66518e5bfc
                                                        • Instruction ID: 80eed2ba80ae1fa9488c46abddb6befa16aacdd9b3bdf65a28db9c71035ed94f
                                                        • Opcode Fuzzy Hash: 35ac2847c6626d75262b3e072a44a611b78fa58a376c106cca30cf66518e5bfc
                                                        • Instruction Fuzzy Hash: 930144B2610300AFD7148F56DC89B1BB7FDEB95651B20C42EE55BD3290D674E800CB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037CE2B Relevance: 5.0, APIs: 4, Instructions: 47memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,?,03251EE8,03251EFC,?,7037B5B8,00000000,00000000,?,00000000,?,?,7037CCCC,?,00000000,00000000), ref: 7037CE57
                                                        • HeapReAlloc.KERNEL32(00000000,00000000,?,?,?,7037B5B8,00000000,00000000,?,00000000,?,?,7037CCCC,?,00000000,00000000), ref: 7037CE67
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 12927e43cb796162d3872011f260218d8d64e0ec2f3fa9e261398c110848c720
                                                        • Instruction ID: b9ae70ec811b839d6071488bcbae76fd5ea86e8fb0b82866980000cd24abfd73
                                                        • Opcode Fuzzy Hash: 12927e43cb796162d3872011f260218d8d64e0ec2f3fa9e261398c110848c720
                                                        • Instruction Fuzzy Hash: C6018BB2610200EFDB10CFA6CC88B5BB7EDEF95622B20842EE45BC7550D674E800DB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037CD2A Relevance: 5.0, APIs: 4, Instructions: 45memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,0000000A,00000000,0000000A,?,70379CDC,00000018,?,?,00000054,7037BD6A,00000000,00000000,?,00000000), ref: 7037CD53
                                                        • HeapReAlloc.KERNEL32(00000000,00000000,?,?,?,70379CDC,00000018,?,?,00000054,7037BD6A,00000000,00000000,?,00000000), ref: 7037CD60
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 9409a7e29aad6f929f92793e9f54b130b71a3283ae5dc904d4ace3a940573ccf
                                                        • Instruction ID: 3caedcc00d44238cd2a39d84d01035593e1dd4ab50543ee32fad3d9a1a6268e9
                                                        • Opcode Fuzzy Hash: 9409a7e29aad6f929f92793e9f54b130b71a3283ae5dc904d4ace3a940573ccf
                                                        • Instruction Fuzzy Hash: 68016DB2610300EFD7209F6ACC88B5ABBECEF95765B20C42EE14AD3150D674E840DB70
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7037D25B Relevance: 5.0, APIs: 4, Instructions: 38memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(F4FD9A64,00000008,00000000,00000000,70389D3F,000000FF,?,7037D2FF,F4FD9A64,00000000,00000000,03251AF0,00000000,70389B46,000000FF), ref: 7037D289
                                                        • HeapFree.KERNEL32(00000000,00000000,00000008,?,7037D2FF,F4FD9A64,00000000,00000000,03251AF0,00000000,70389B46,000000FF,?,7037F154), ref: 7037D293
                                                        • GetProcessHeap.KERNEL32(F4FD9A64,00000008,00000000,00000000,70389D3F,000000FF,?,7037D2FF,F4FD9A64,00000000,00000000,03251AF0,00000000,70389B46,000000FF), ref: 7037D2A0
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,7037D2FF,F4FD9A64,00000000,00000000,03251AF0,00000000,70389B46,000000FF,?,7037F154), ref: 7037D2AA
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: 332cb9dae6f27ce5b760e23c6822665d4ae0dbd340b4a9870e376eb5c346ab58
                                                        • Instruction ID: f4e89c3bbe2336a348d963c6c086cd6ce9e2cd098e266625ff6af9a46f8ac9eb
                                                        • Opcode Fuzzy Hash: 332cb9dae6f27ce5b760e23c6822665d4ae0dbd340b4a9870e376eb5c346ab58
                                                        • Instruction Fuzzy Hash: 20F06277504650AFC7208B56CC08F4A7BBCEB89B20F31495AF816E3280DB74A8008A74
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036E8EC Relevance: 5.0, APIs: 4, Instructions: 35memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7036E84C: ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,00000004,00000001,?,?,?,?,7036E902,00000000,00000000,?,?), ref: 7036E871
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E916
                                                        • HeapFree.KERNEL32(00000000,?,7036E2EB,00000004), ref: 7036E91D
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,7036E2EB,00000004), ref: 7036E92D
                                                        • HeapFree.KERNEL32(00000000,?,7036E2EB,00000004), ref: 7036E934
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess$FileRead
                                                        • String ID:
                                                        • API String ID: 1508408528-0
                                                        • Opcode ID: f6b51def661e490a404335fc408ba3c6e4b41196751cc0629165c576d29b8ce4
                                                        • Instruction ID: 1d72814fe0385ba3cf0040301681b39854e5a27f6cd8dd579e9063bd471f587c
                                                        • Opcode Fuzzy Hash: f6b51def661e490a404335fc408ba3c6e4b41196751cc0629165c576d29b8ce4
                                                        • Instruction Fuzzy Hash: D2F030B2510204FFDB009BA1CC0DB9E76BCEF49309F200594E542D6155D675AA089760
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 703710C0 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,7036A05E,00000000,?), ref: 703710D5
                                                        • HeapAlloc.KERNEL32(00000000,?,7036A05E,00000000,?), ref: 703710DC
                                                        • GetProcessHeap.KERNEL32(00000008,00000000,?,?,7036A05E,00000000,?), ref: 703710E9
                                                        • HeapReAlloc.KERNEL32(00000000,?,7036A05E,00000000,?), ref: 703710F0
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$AllocProcess
                                                        • String ID:
                                                        • API String ID: 1617791916-0
                                                        • Opcode ID: 76cf5287497b1ff22d2516452b6129367badc811c45957d93b6557771b7b7ec2
                                                        • Instruction ID: abf1a0339dc8e0bdd4a18095213a6fa1d8d093c5516722b3f36bd9845d9b8846
                                                        • Opcode Fuzzy Hash: 76cf5287497b1ff22d2516452b6129367badc811c45957d93b6557771b7b7ec2
                                                        • Instruction Fuzzy Hash: ABE0B677100244EFDB206FAACC4DB8A3BADABA4745F20C045F60AC6191CA78D4889B75
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036F3E2 Relevance: 5.0, APIs: 4, Instructions: 15memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(?,?,?,7036F3CB,?,?,7038A6E0,00000020), ref: 7036F3E8
                                                        • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,7036F3CB,?,?,7038A6E0,00000020), ref: 7036F3F3
                                                        • GetProcessHeap.KERNEL32(?,?,?,7036F3CB,?,?,7038A6E0,00000020), ref: 7036F3FF
                                                        • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,7036F3CB,?,?,7038A6E0,00000020), ref: 7036F40A
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: 0831ab63345927a1b398fe05eb91fc1d709415fe3a639d8360f5e607a41dddc9
                                                        • Instruction ID: 50b8f8e431c65be6800bd37451bde0c3294dec50283fb460a917592e3bfc412f
                                                        • Opcode Fuzzy Hash: 0831ab63345927a1b398fe05eb91fc1d709415fe3a639d8360f5e607a41dddc9
                                                        • Instruction Fuzzy Hash: 4FD042B2800108EFDF015BE28C0CBAE7A7DFB18306F310454F112A10A5C7384894DB34
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 7036A44E Relevance: 5.0, APIs: 4, Instructions: 15memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,7036A435), ref: 7036A458
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,7036A435), ref: 7036A45F
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,7036A435), ref: 7036A46F
                                                        • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,7036A435), ref: 7036A476
                                                        Memory Dump Source
                                                        • Source File: 00000063.00000002.2475705274.0000000070368000.00000020.00000001.01000000.0000000C.sdmp, Offset: 70360000, based on PE: true
                                                        • Associated: 00000063.00000002.2475647480.0000000070360000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2475705274.0000000070361000.00000020.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476784367.000000007038D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                        • Associated: 00000063.00000002.2476886349.000000007038F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_99_2_70360000_SetupHost.jbxd
                                                        Similarity
                                                        • API ID: Heap$FreeProcess
                                                        • String ID:
                                                        • API String ID: 3859560861-0
                                                        • Opcode ID: 1736e321fd20d5652d40007f3116d945e065111c10647888b7a65d8a63dbb7ac
                                                        • Instruction ID: dee994f032d00055d5fc7896721658f4ed494aa2fb09e0c882868f29ed0121b8
                                                        • Opcode Fuzzy Hash: 1736e321fd20d5652d40007f3116d945e065111c10647888b7a65d8a63dbb7ac
                                                        • Instruction Fuzzy Hash: 5ED042B2800204EFCF026BA2CC4CB9D7A7DBB18302F201444F103A10A2CB784494DB20
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%